Privileges Elevation via Parent Process PID Spoofing

Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process
 11identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Privileges Elevation via Parent Process PID Spoofing"
 18references = [
 19    "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6",
 20    "https://blog.didierstevens.com/2017/03/20/",
 21    "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute",
 22    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md",
 23]
 24risk_score = 73
 25rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Privilege Escalation",
 32    "Data Source: Elastic Defend",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39/* This rule is compatible with Elastic Endpoint only */
 40
 41process where host.os.type == "windows" and event.action == "start" and
 42
 43 /* process creation via seclogon */
 44 process.parent.Ext.real.pid > 0 and
 45
 46 /* PrivEsc to SYSTEM */
 47 user.id : "S-1-5-18"  and
 48
 49 /* Common FPs - evasion via hollowing is possible, should be covered by code injection */
 50 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 51                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 52                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 53                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 54                           "?:\\Windows\\System32\\Wermgr.exe",
 55                           "?:\\Windows\\SysWOW64\\Wermgr.exe",
 56                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
 57 /* Logon Utilities */
 58 not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 59     process.executable : ("?:\\Windows\\System32\\osk.exe",
 60                           "?:\\Windows\\System32\\Narrator.exe",
 61                           "?:\\Windows\\System32\\Magnify.exe")) and
 62
 63 not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and
 64
 65 not (process.code_signature.subject_name in
 66           ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.",
 67            "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and
 68
 69 /* AM_Delta_Patch Windows Update */
 70 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and
 71      process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe",
 72                                   "?:\\Windows\\SysWOW64\\wuauclt.exe",
 73                                   "?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe",
 74                                   "?:\\Windows\\UUS\\amd64\\wuauclt.exe",
 75                                   "?:\\Windows\\UUS\\amd64\\wuaucltcore.exe",
 76                                   "?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and
 77 not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and
 78
 79 /* Other third party SW */
 80 not process.parent.executable :
 81                   ("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe",
 82                    "?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe",
 83                    "?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe",
 84                    "?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe",
 85                    "?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe",
 86                    "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe",
 87                    "?:\\Program Files\\Freedom Scientific\\*.exe",
 88                    "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe",
 89                    "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and
 90 not (
 91    process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and
 92    process.name : "adcrcpy.exe" and process.parent.executable : (
 93      "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe",
 94      "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.Analyzer.exe",
 95      "?:\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe"
 96    )
 97 )
 98'''
 99note = """## Triage and analysis
100
101> **Disclaimer**:
102> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
103
104### Investigating Privileges Elevation via Parent Process PID Spoofing
105
106Parent Process ID (PPID) spoofing is a technique where adversaries manipulate the PPID of a process to disguise its origin, often to bypass security measures or gain elevated privileges. This is particularly concerning in Windows environments where processes can inherit permissions from their parent. The detection rule identifies suspicious process creation patterns, such as unexpected PPID values and elevated user IDs, while filtering out known legitimate processes and trusted signatures, to flag potential privilege escalation attempts.
107
108### Possible investigation steps
109
110- Review the process creation event details, focusing on the process.parent.Ext.real.pid and user.id fields to confirm if the PPID spoofing led to privilege escalation to SYSTEM.
111- Examine the process.executable and process.parent.executable paths to determine if the process is known or expected in the environment, and check against the list of excluded legitimate processes.
112- Investigate the process.code_signature fields to verify if the process is signed by a trusted entity and if the signature is valid, especially if the process is not excluded by the rule.
113- Check the historical activity of the involved user.id and process.parent.executable to identify any unusual patterns or recent changes in behavior.
114- Correlate the alert with other security events or logs to identify any related suspicious activities or potential lateral movement attempts within the network.
115
116### False positive analysis
117
118- Processes related to Windows Error Reporting such as WerFault.exe and Wermgr.exe can trigger false positives. These are legitimate system processes and can be excluded by verifying their signatures and paths.
119- Logon utilities like Utilman.exe spawning processes such as osk.exe, Narrator.exe, or Magnify.exe may appear suspicious but are often legitimate. Exclude these by confirming their usage context and ensuring they are executed by trusted users.
120- Third-party software like TeamViewer, Cisco WebEx, and Dell Inc. may cause false positives due to their legitimate use of process creation. Verify the code signature and trust status to exclude these processes.
121- Windows Update processes involving MpSigStub.exe and wuauclt.exe can be mistakenly flagged. Confirm these are part of regular update activities and exclude them based on their known paths and parent processes.
122- Remote support and management tools such as LogMeIn, GoToAssist, and Chrome Remote Desktop may be flagged. Ensure these are installed and used by authorized personnel and exclude them by their executable paths.
123- Netwrix Corporation's processes like adcrcpy.exe may be flagged if they are part of legitimate auditing activities. Verify the code signature and exclude these processes if they are part of authorized Netwrix Auditor operations.
124
125### Response and remediation
126
127- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
128- Terminate any suspicious processes identified by the alert, especially those with spoofed PPIDs or elevated privileges, to stop potential malicious activities.
129- Review and revoke any unauthorized user accounts or privileges that may have been created or escalated during the incident.
130- Conduct a thorough forensic analysis of the affected system to identify any additional indicators of compromise or persistence mechanisms.
131- Restore the system from a known good backup if necessary, ensuring that all malicious artifacts are removed and system integrity is maintained.
132- Implement additional monitoring and logging on the affected system and network to detect any recurrence of similar activities.
133- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist."""
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1134"
140name = "Access Token Manipulation"
141reference = "https://attack.mitre.org/techniques/T1134/"
142[[rule.threat.technique.subtechnique]]
143id = "T1134.002"
144name = "Create Process with Token"
145reference = "https://attack.mitre.org/techniques/T1134/002/"
146
147[[rule.threat.technique.subtechnique]]
148id = "T1134.004"
149name = "Parent PID Spoofing"
150reference = "https://attack.mitre.org/techniques/T1134/004/"
151
152
153
154[rule.threat.tactic]
155id = "TA0004"
156name = "Privilege Escalation"
157reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Privileges Elevation via Parent Process PID Spoofing

Parent Process ID (PPID) spoofing is a technique where adversaries manipulate the PPID of a process to disguise its origin, often to bypass security measures or gain elevated privileges. This is particularly concerning in Windows environments where processes can inherit permissions from their parent. The detection rule identifies suspicious process creation patterns, such as unexpected PPID values and elevated user IDs, while filtering out known legitimate processes and trusted signatures, to flag potential privilege escalation attempts.

Possible investigation steps

  • Review the process creation event details, focusing on the process.parent.Ext.real.pid and user.id fields to confirm if the PPID spoofing led to privilege escalation to SYSTEM.
  • Examine the process.executable and process.parent.executable paths to determine if the process is known or expected in the environment, and check against the list of excluded legitimate processes.
  • Investigate the process.code_signature fields to verify if the process is signed by a trusted entity and if the signature is valid, especially if the process is not excluded by the rule.
  • Check the historical activity of the involved user.id and process.parent.executable to identify any unusual patterns or recent changes in behavior.
  • Correlate the alert with other security events or logs to identify any related suspicious activities or potential lateral movement attempts within the network.

False positive analysis

  • Processes related to Windows Error Reporting such as WerFault.exe and Wermgr.exe can trigger false positives. These are legitimate system processes and can be excluded by verifying their signatures and paths.
  • Logon utilities like Utilman.exe spawning processes such as osk.exe, Narrator.exe, or Magnify.exe may appear suspicious but are often legitimate. Exclude these by confirming their usage context and ensuring they are executed by trusted users.
  • Third-party software like TeamViewer, Cisco WebEx, and Dell Inc. may cause false positives due to their legitimate use of process creation. Verify the code signature and trust status to exclude these processes.
  • Windows Update processes involving MpSigStub.exe and wuauclt.exe can be mistakenly flagged. Confirm these are part of regular update activities and exclude them based on their known paths and parent processes.
  • Remote support and management tools such as LogMeIn, GoToAssist, and Chrome Remote Desktop may be flagged. Ensure these are installed and used by authorized personnel and exclude them by their executable paths.
  • Netwrix Corporation's processes like adcrcpy.exe may be flagged if they are part of legitimate auditing activities. Verify the code signature and exclude these processes if they are part of authorized Netwrix Auditor operations.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any suspicious processes identified by the alert, especially those with spoofed PPIDs or elevated privileges, to stop potential malicious activities.
  • Review and revoke any unauthorized user accounts or privileges that may have been created or escalated during the incident.
  • Conduct a thorough forensic analysis of the affected system to identify any additional indicators of compromise or persistence mechanisms.
  • Restore the system from a known good backup if necessary, ensuring that all malicious artifacts are removed and system integrity is maintained.
  • Implement additional monitoring and logging on the affected system and network to detect any recurrence of similar activities.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.

References

Related rules

to-top