Parent Process PID Spoofing

calendar Sep 25, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/07/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/09/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
 11of a new process to evade process-monitoring defenses or to elevate privileges.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Parent Process PID Spoofing"
 18references = [
 19    "https://blog.didierstevens.com/2017/03/20/",
 20    "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit",
 21]
 22risk_score = 73
 23rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Defense Evasion",
 30    "Tactic: Privilege Escalation",
 31    "Data Source: Elastic Defend",
 32]
 33type = "eql"
 34
 35query = '''
 36/* This rule is compatible with Elastic Endpoint only */
 37
 38sequence by host.id, user.id with maxspan=3m 
 39
 40 [process where host.os.type == "windows" and event.type == "start" and
 41  process.Ext.token.integrity_level_name != "system" and 
 42  (
 43    process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
 44                                     "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
 45                                     "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
 46                                     "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or 
 47                                     
 48    (process.executable : ("?:\\Users\\*.exe",
 49                           "?:\\ProgramData\\*.exe",
 50                           "?:\\Windows\\Temp\\*.exe",
 51                           "?:\\Windows\\Tasks\\*") and 
 52      (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or 
 53                          
 54    process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"                      
 55  ) and 
 56  
 57  not process.executable : 
 58             ("?:\\Windows\\System32\\WerFaultSecure.exe", 
 59              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
 60              "?:\\Windows\\System32\\WerFault.exe",
 61              "?:\\Windows\\SysWOW64\\WerFault.exe")
 62  ] by process.pid
 63 [process where host.os.type == "windows" and event.type == "start" and
 64  process.parent.Ext.real.pid > 0 and 
 65 
 66  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
 67  not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and 
 68  
 69   not process.executable : 
 70             ("?:\\Windows\\System32\\WerFaultSecure.exe", 
 71              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
 72              "?:\\Windows\\System32\\WerFault.exe",
 73              "?:\\Windows\\SysWOW64\\WerFault.exe")
 74 ] by process.parent.Ext.real.pid
 75'''
 76
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80[[rule.threat.technique]]
 81id = "T1134"
 82name = "Access Token Manipulation"
 83reference = "https://attack.mitre.org/techniques/T1134/"
 84[[rule.threat.technique.subtechnique]]
 85id = "T1134.004"
 86name = "Parent PID Spoofing"
 87reference = "https://attack.mitre.org/techniques/T1134/004/"
 88
 89
 90
 91[rule.threat.tactic]
 92id = "TA0005"
 93name = "Defense Evasion"
 94reference = "https://attack.mitre.org/tactics/TA0005/"
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1134"
 99name = "Access Token Manipulation"
100reference = "https://attack.mitre.org/techniques/T1134/"
101[[rule.threat.technique.subtechnique]]
102id = "T1134.004"
103name = "Parent PID Spoofing"
104reference = "https://attack.mitre.org/techniques/T1134/004/"
105
106
107
108[rule.threat.tactic]
109id = "TA0004"
110name = "Privilege Escalation"
111reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top