Privileges Elevation via Parent Process PID Spoofing

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process
 11identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Privileges Elevation via Parent Process PID Spoofing"
 18references = [
 19    "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6",
 20    "https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/",
 21    "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute",
 22    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md",
 23]
 24risk_score = 73
 25rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Privilege Escalation",
 32    "Data Source: Elastic Defend",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39/* This rule is compatible with Elastic Endpoint only */
 40
 41process where host.os.type == "windows" and event.action == "start" and
 42
 43 /* process creation via seclogon */
 44 process.parent.Ext.real.pid > 0 and
 45
 46 /* PrivEsc to SYSTEM */
 47 user.id : "S-1-5-18"  and
 48
 49 /* Common FPs - evasion via hollowing is possible, should be covered by code injection */
 50 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 51                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 52                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 53                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 54                           "?:\\Windows\\System32\\Wermgr.exe",
 55                           "?:\\Windows\\SysWOW64\\Wermgr.exe",
 56                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
 57 /* Logon Utilities */
 58 not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 59     process.executable : ("?:\\Windows\\System32\\osk.exe",
 60                           "?:\\Windows\\System32\\Narrator.exe",
 61                           "?:\\Windows\\System32\\Magnify.exe",
 62                           "?:\\Windows\\System32\\VoiceAccess.exe")) and
 63
 64 not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and
 65
 66 not (process.code_signature.subject_name in
 67           ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.",
 68            "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and
 69
 70 /* AM_Delta_Patch Windows Update */
 71 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and
 72      process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe",
 73                                   "?:\\Windows\\SysWOW64\\wuauclt.exe",
 74                                   "?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe",
 75                                   "?:\\Windows\\UUS\\amd64\\wuauclt.exe",
 76                                   "?:\\Windows\\UUS\\amd64\\wuaucltcore.exe",
 77                                   "?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and
 78 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and
 79
 80 /* Other third party SW */
 81 not process.parent.executable :
 82                   ("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe",
 83                    "?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe",
 84                    "?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe",
 85                    "?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe",
 86                    "?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe",
 87                    "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe",
 88                    "?:\\Program Files\\Freedom Scientific\\*.exe",
 89                    "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe",
 90                    "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and
 91 not (
 92    process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and
 93    process.name : "adcrcpy.exe" and process.parent.name : (
 94      "Netwrix.ADA.EventCollector.exe",
 95      "Netwrix.ADA.Analyzer.exe"
 96    )
 97 )
 98'''
 99
100note = """## Triage and analysis
101
102### Investigating Privileges Elevation via Parent Process PID Spoofing
103
104#### Possible investigation steps
105
106- Does the alert show a SYSTEM child with a spoofed parent relationship?
107  - Focus: `user.id`, token integrity, `process.parent.pid`, `process.parent.Ext.real.pid`, and `process.parent.executable`.
108  - Implication: escalate when a SYSTEM child has a nonzero real-creator PID that differs from the reported parent, especially when that parent gives trusted system, service, or desktop cover; treat a recognized broker or authorized test as only a candidate benign path until creator and child intent are checked.
109  - Why: PPID spoofing can make process-tree views show the selected parent instead of the process that requested creation.
110- Which process actually requested the spoofed launch?
111  - Focus: recovered creator for `process.parent.Ext.real.pid`: `process.entity_id`, `process.executable`, `process.command_line`, signer, and trust state.
112  - Implication: escalate when the creator is unsigned, user-writable, a shell or script launcher, or unrelated to the reported parent; lower suspicion only for a stable signed vendor, update, accessibility, audit, or test component tied to the same workflow.
113  - Why: the Windows parent-process attribute can select a parent handle, so the recovered creator is the actor path the visible parent may hide.
114  - Hint: search the same `host.id` around `@timestamp` for `process.pid` = `process.parent.Ext.real.pid`; keep PID windows tight because PIDs are reused. $investigate_0
115- Does the SYSTEM child identity and command line fit the recovered creator workflow?
116  - Focus: `process.executable`, `process.command_line`, `process.pe.original_file_name`, signer, and trust state.
117  - Implication: escalate when the child is a shell, script host, renamed binary, user-writable executable, unsigned or untrusted, or has commands that do not belong to the recovered creator; trusted signing reduces identity concern but does not clear PPID spoofing without launch-context fit.
118- Did the spoofed SYSTEM child launch follow-on activity?
119  - Focus: child process events from `process.entity_id`, reviewing `process.executable`, `process.command_line`, and `user.id`. $investigate_1
120  - Implication: escalate when it spawns shells, scripting, credential, service, or lateral-movement tooling under SYSTEM; no descendants lowers immediate impact but does not clear a suspicious creator or child identity.
121  - Hint: if `process.entity_id` is unavailable, fall back to `host.id`, `process.pid`, and a tight alert-time window.
122- If escalation is likely, what is the immediate scope?
123  - Focus: prior process alerts for `host.id` and `user.id` with matching child executable or hash, reported parent, and real-creator PID.
124    - $investigate_2
125    - $investigate_3
126  - Implication: expand containment and scoping when the same child or creator appears on other hosts or unrelated users; keep scope local when the tuple is isolated and no descendant activity contradicts it. Do not use recurrence alone to close.
127  - Range: use a lookback that fits endpoint retention.
128
129Disposition: escalate when PPID spoofing to SYSTEM has an unrecognized creator, suspicious child, misleading parent, SYSTEM follow-on activity, or cross-host scope. Close only when alert and recovered telemetry tie the event to one exact recognized broker or authorized test and no descendant evidence contradicts it; preserve evidence and escalate when recovery is incomplete or evidence conflicts.
130
131### False positive analysis
132
133- Signed broker cases require the exact telemetry tuple: child path, signer, and command; reported parent path; recovered creator path, signer, and command; and host/user cohort. Authorized PPID-spoofing tests require exact host, time, tester, test binary, parent PID, real creator PID, and child command line. Without that tie to one product or test, treat as suspicious because the rule already filters common Windows Error Reporting, update, accessibility, remote-support, and Netwrix patterns.
134- Build exceptions only from the minimum confirmed tuple: `process.hash.sha256` or `process.code_signature.thumbprint_sha256`, `process.executable`, `process.parent.executable`, recovered creator identity, `host.id` or managed host group, and the test or product command pattern. Avoid exceptions on `process.name`, `process.parent.name`, or signer alone.
135
136### Response and remediation
137
138- If confirmed benign: document the exact child, reported parent, real creator, signer, command line, host, and user evidence that proved the workflow; reverse any temporary containment and create only a narrow exception for the same tuple.
139- If suspicious but unconfirmed: preserve the alert, process event, recovered creator and descendant process records, process entity IDs and PIDs, command lines, hashes, signers, and current process state before containment. Use reversible containment such as host isolation or temporary policy controls based on host criticality; avoid killing the child or creator until evidence is preserved.
140- If confirmed malicious: isolate the affected host when identity, lineage, or descendant evidence shows unauthorized SYSTEM execution. Before termination, record `process.entity_id`, `process.parent.Ext.real.pid`, `process.command_line`, and `process.hash.sha256`; then terminate malicious child or descendant processes and remove only the binaries, scripts, services, or persistence found during follow-on investigation.
141- Reset or rotate credentials only for accounts, services, or remote-access paths whose misuse is confirmed by additional evidence. Do not treat SYSTEM context alone as proof that a named user credential was compromised.
142- Post-incident hardening: restrict administrative paths that can obtain parent-process creation privileges, review who can run PPID-spoofing test tools, and document the confirmed tuple or malicious artifact set so future analysts can separate repeated product behavior from repeated abuse."""
143
144setup = """## Setup
145
146This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
147
148Setup instructions: https://ela.st/install-elastic-defend
149"""
150
151[rule.investigation_fields]
152field_names = [
153    "@timestamp",
154    "host.id",
155    "user.id",
156    "process.entity_id",
157    "process.pid",
158    "process.executable",
159    "process.command_line",
160    "process.Ext.token.integrity_level_name",
161    "process.Ext.token.elevation_level",
162    "process.parent.pid",
163    "process.parent.Ext.real.pid",
164    "process.parent.executable",
165    "process.hash.sha256",
166    "process.code_signature.trusted",
167    "process.code_signature.subject_name",
168]
169
170[transform]
171
172[[transform.investigate]]
173label = "Real creator process event"
174description = ""
175providers = [
176  [
177    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
178    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
179    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.Ext.real.pid}}", valueType = "string" }
180  ]
181]
182relativeFrom = "now-15m"
183relativeTo = "now"
184
185[[transform.investigate]]
186label = "Descendant process events for the spoofed child"
187description = ""
188providers = [
189  [
190    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
191    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
192    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
193  ]
194]
195relativeFrom = "now-1h"
196relativeTo = "now"
197
198[[transform.investigate]]
199label = "Alerts associated with the host"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
205  ]
206]
207relativeFrom = "now-48h/h"
208relativeTo = "now"
209
210[[transform.investigate]]
211label = "Alerts associated with the user"
212description = ""
213providers = [
214  [
215    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
216    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
217  ]
218]
219relativeFrom = "now-48h/h"
220relativeTo = "now"
221
222[[rule.threat]]
223framework = "MITRE ATT&CK"
224
225[[rule.threat.technique]]
226id = "T1134"
227name = "Access Token Manipulation"
228reference = "https://attack.mitre.org/techniques/T1134/"
229
230[[rule.threat.technique.subtechnique]]
231id = "T1134.002"
232name = "Create Process with Token"
233reference = "https://attack.mitre.org/techniques/T1134/002/"
234
235[[rule.threat.technique.subtechnique]]
236id = "T1134.004"
237name = "Parent PID Spoofing"
238reference = "https://attack.mitre.org/techniques/T1134/004/"
239
240[rule.threat.tactic]
241id = "TA0004"
242name = "Privilege Escalation"
243reference = "https://attack.mitre.org/tactics/TA0004/"