Privileges Elevation via Parent Process PID Spoofing

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2023/08/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process
 13identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Privileges Elevation via Parent Process PID Spoofing"
 20references = [
 21    "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6",
 22    "https://blog.didierstevens.com/2017/03/20/",
 23    "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute",
 24    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md",
 25]
 26risk_score = 73
 27rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b"
 28severity = "high"
 29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 30timestamp_override = "event.ingested"
 31type = "eql"
 32
 33query = '''
 34/* This rule is compatible with Elastic Endpoint only */
 35
 36process where host.os.type == "windows" and event.action == "start" and
 37
 38 /* process creation via seclogon */
 39 process.parent.Ext.real.pid > 0 and
 40
 41 /* PrivEsc to SYSTEM */
 42 user.id : "S-1-5-18"  and
 43
 44 /* Common FPs - evasion via hollowing is possible, should be covered by code injection */
 45 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 46                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 47                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 48                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 49                           "?:\\Windows\\System32\\Wermgr.exe",
 50                           "?:\\Windows\\SysWOW64\\Wermgr.exe",
 51                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
 52 /* Logon Utilities */
 53 not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 54     process.executable : ("?:\\Windows\\System32\\osk.exe",
 55                           "?:\\Windows\\System32\\Narrator.exe",
 56                           "?:\\Windows\\System32\\Magnify.exe")) and
 57
 58 not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and
 59
 60 not (process.code_signature.subject_name in
 61           ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.",
 62            "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and 
 63
 64 /* AM_Delta_Patch Windows Update */
 65 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and
 66      process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe", 
 67                                   "?:\\Windows\\SysWOW64\\wuauclt.exe", 
 68                                   "?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe", 
 69                                   "?:\\Windows\\UUS\\amd64\\wuauclt.exe", 
 70                                   "?:\\Windows\\UUS\\amd64\\wuaucltcore.exe", 
 71                                   "?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and
 72 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and
 73
 74 /* Other third party SW */
 75 not process.parent.executable :
 76                   ("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe",
 77                    "?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe",
 78                    "?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe",
 79                    "?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe",
 80                    "?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe",
 81                    "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe",
 82                    "?:\\Program Files\\Freedom Scientific\\*.exe",
 83                    "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe",
 84                    "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe")
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1134"
 92name = "Access Token Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1134/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1134.002"
 96name = "Create Process with Token"
 97reference = "https://attack.mitre.org/techniques/T1134/002/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1134.004"
101name = "Parent PID Spoofing"
102reference = "https://attack.mitre.org/techniques/T1134/004/"
103
104
105
106[rule.threat.tactic]
107id = "TA0004"
108name = "Privilege Escalation"
109reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top