IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Parent Process PID Spoofing
editParent Process PID Spoofing
editIdentifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit/* This rule is compatible with Elastic Endpoint only */ sequence by host.id, user.id with maxspan=3m [process where host.os.type == "windows" and event.type == "start" and process.Ext.token.integrity_level_name != "system" and ( process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or (process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?:\\Windows\\Temp\\*.exe", "?:\\Windows\\Tasks\\*") and (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or process.executable : "?:\\Windows\\Microsoft.NET\\*.exe" ) and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.pid [process where host.os.type == "windows" and event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.parent.Ext.real.pid
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Parent PID Spoofing
- ID: T1134.004
- Reference URL: https://attack.mitre.org/techniques/T1134/004/
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Parent PID Spoofing
- ID: T1134.004
- Reference URL: https://attack.mitre.org/techniques/T1134/004/