This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Parent Process PID Spoofing
editParent Process PID Spoofing
editIdentifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 100 (version history)
Added (Elastic Stack release): 7.14.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
edit/* This rule is compatible with Elastic Endpoint only */ sequence by
host.id, user.id with maxspan=5m [process where event.type == "start"
and process.Ext.token.integrity_level_name != "system" and (
process.pe.original_file_name : ("winword.exe", "excel.exe",
"outlook.exe", "powerpnt.exe", "eqnedt32.exe",
"fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe",
"pwsh.exe", "cscript.exe",
"wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
"mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or
process.executable : ("?:\\Users\\*.exe",
"?:\\ProgramData\\*.exe",
"?:\\Windows\\Microsoft.NET\\*.exe",
"?:\\Windows\\Temp\\*.exe",
"?:\\Windows\\Tasks\\*") or process.code_signature.trusted != true
) ] by process.pid [process where event.type == "start" and
process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid
is only populated if the parent process pid doesn't match */ not
(process.name : "msedge.exe" and process.parent.name : "sihost.exe")
] by process.parent.Ext.real.pid
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
Rule version history
edit- Version 100 (8.5.0 release)
-
-
Updated query, changed from:
/* This rule is compatible with Elastic Endpoint only */ sequence by host.id, user.id with maxspan=5m [process where event.type == "start" and process.Ext.token.integrity_level_name != "system" and ( process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?:\\Windows\\Microsoft.NET\\*.exe", "?:\\Windows\\Temp\\*.exe", "?:\\Windows\\Tasks\\*") or process.code_signature.trusted != true ) ] by process.pid [process where event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") ] by process.parent.Ext.real.pid
-
- Version 2 (8.4.0 release)
-
- Formatting only