[rule] description = """ Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. """ id = "816ba7e7-519a-4f85-be2a-bacd6ccde57f" license = "Elastic License v2" name = "Parent Process PID Spoofing" os_list = ["windows"] reference = [ "https://blog.didierstevens.com/2017/03/20/", "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", ] version = "1.0.47" query = ''' sequence with maxspan=5m [process where event.action == "start" and process.parent.executable != null and /* FP - AppInfo */ not (process.executable : "*\\windows\\system32\\svchost.exe" and user.id == "S-1-5-18" and process.command_line : "* -k netsvcs*") and /* FP - Windows Errors Reporting */ not (process.executable : "*\\windows\\system32\\svchost.exe" and user.id == "S-1-5-18" and process.command_line : "*WerSvcGroup*") and /* FP - Secondary Logon */ not (process.executable : "*\\windows\\system32\\svchost.exe" and user.id == "S-1-5-18" and process.command_line : "*seclogon*") and /* FP - Application Brokers */ not (process.executable : ("*\\Windows\\System32\\RuntimeBroker.exe", "*\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) and /* FP - Third Party Programs except MS Office */ not (process.executable : ("*\\Program Files (x86)\\*.exe", "*\\Program Files\\*.exe") and process.code_signature.trusted == true and not process.name in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe")) and not (process.pe.original_file_name in~ ("devenv.exe", "PowerToys.exe") and process.code_signature.trusted == true and process.code_signature.subject_name like "Microsoft*") and /* FP Issue #488 - WerFaultSecure ProtectedCrash */ not ( process.executable : ("*\\Windows\\System32\\WerFaultSecure.exe", "*\\WINDOWS\\SysWOW64\\WerFaultSecure.exe") and user.id == "S-1-5-18" and process.parent.command_line != null and ((process.parent.executable : "*\\Windows\\System32\\svchost.exe" and process.parent.command_line : "*WerSvcGroup*") or process.parent.executable : "*\\Windows\\System32\\dxgiadaptercache.exe") ) and /* FP Issue #488 - File Picker UI Host is real parent of Authentication Broker AuthHost.exe */ not (process.executable : "*\\Windows\\System32\\PickerHost.Exe" and process.parent.executable : "*\\Windows\\System32\\svchost.exe") and /* FP Issue #488 - Roblox Game Client */ not (process.pe.original_file_name : "RobloxApp.exe" and process.code_signature.subject_name == "Roblox Corporation" and (process.code_signature.trusted == true or process.code_signature.status == "errorTimeStamp")) and /* FP OpenWith handles unknown file handlers via GUI popup */ not (process.executable : ("*\\WINDOWS\\system32\\OpenWith.exe", "*\\WINDOWS\\syswow64\\OpenWith.exe") and process.args: "-Embedding" and process.parent.executable : "*\\Windows\\System32\\svchost.exe" and process.parent.args : "DcomLaunch") and not (process.pe.original_file_name in~ ("notification_helper.exe", "cpptools.exe") and process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) and not (process.pe.original_file_name : "pmlauncher.exe" and process.code_signature.subject_name in ("BeyondTrust Software, Inc", "BeyondTrust Software Inc") and process.code_signature.trusted == true) and not (process.executable : "*\\Windows\\SystemApps\\Microsoft*.exe" and process.parent.executable : "*\\Windows\\system32\\svchost.exe" and process.parent.args : "DcomLaunch") and not (process.pe.original_file_name == "MBSetup.exe" and process.code_signature.subject_name in ("Malwarebytes Inc.", "Malwarebytes Inc") and process.code_signature.trusted == true) and not (process.executable : "*\\Windows\\System32\\backgroundTaskHost.exe" and process.Ext.token.integrity_level_name == "low" and process.parent.name : "svchost.exe") and not (process.executable : "*\\Windows\\System32\\SystemSettingsBroker.exe" and process.parent.args : "DcomLaunch" and process.parent.executable : "*\\Windows\\System32\\svchost.exe") and not (process.pe.original_file_name == "tailscale-ipn.exe" and process.code_signature.subject_name == "Tailscale Inc." and (process.code_signature.trusted == true or process.code_signature.status == "errorChaining")) and not process.executable : "?:\\Windows\\SoftwareDistribution\\*.exe" and not (process.name : "cpptools.exe" and process.parent.executable : "?:\\Program Files\\Microsoft VS Code\\Code.exe") and not (process.code_signature.trusted == true and process.code_signature.subject_name == "Michael Maltsev") and not (process.executable : "?:\\WINDOWS\\Microsoft.NET\\Framework\\*\\RegAsm.exe" and process.args : "?:\\ProgramData\\PlatformInstall\\GideCode\\rtcresofz_Mecrrcpl.dll" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and not (process.executable : "C:\\Windows\\System32\\sihost.exe" and process.parent.executable : "C:\\Windows\\System32\\sihost.exe") ] by process.entity_id [process where event.action == "start" and process.parent.Ext.real.pid > 0 and /* FP Issue #488 - Auth Host Broker for WindowsApps */ not process.executable : "*\\Windows\\system32\\AuthHost.exe" and not (process.parent.executable : "*\\Windows\\System32\\sihost.exe" and process.pe.original_file_name in~ ("chrome.exe", "msedge.exe") and process.args_count >= 2 and process.code_signature.subject_name : ("Google LLC", "Microsoft Corporation")) and not (process.executable : "*\\Windows\\System32\\fsutil.exe" and process.args : "file" and process.parent.executable : "*\\Users\\*\\.vscode\\extensions\\ms-vscode.cpptools-*\\bin\\cpptools.exe") and /* noisy with variable patterns for the parent and real parent process */ not (process.executable : "*\\WINDOWS\\system32\\WerFaultSecure.exe" and process.Ext.token.integrity_level_name == "system") and /* AM_Delta_Patch Windows Update */ not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.name in~ ("wuauclt.exe", "wuaucltcore.exe")) and not process.executable : ("?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\system32\\WerFault.exe") and not process.hash.sha256 : ("02cfaec8d3f905a7a940dc307fb1c0558eed6a80e663526f73efeb79c1808b87", "bd7ed99c8a05b3852cc4e44a34e4ba4f7ad4d4074ee60ad6a21a706897eeb714", "c5b9688aed57d6b6285a210d40c9a4bf43c3672a758d448cd99f40fdc6681415", "dee8aba745a6cca1b2404f5054dd91d4159d824c3f079fe742c6a25961d7a9f0", "0a04684ef46dcac1859a195e8c7d4bfdb2dddb7da1d4491e8b7bf794036eba3a", "217fa613c4e129f20d1b20fd2ce5c7a7efbdf88e1e6121077057d0b14fe15450", "038d7b257b98421ad371189cf51d67f32ddad2de687c443a59ea74e4027bbf04", "590f3cc02628dcdb43d3ee00ecf1a86e0bfcefd26cb0ffcb809a67194b22fda6", "ff7627eaa90ce994207d1d1d1b39ac8852b11f03a6adb86d915f4696401beca0", "a0b1f604c335315b5ba5a598436bf6c8b05ce77742e2f1b102a8c7d11918408d", "f074a65751beb589b99ecffa2d4cefdd9c87c3641487d2baed4c9f85e75ffbc6", "5ea04862fe5e201e47e5aac29c19a1550612f82a048b402cd85435efd9d39d2a", "79f7c942f9b15b857abcb838123991ad756ea3bb846045ed3378e484428f74a3", "97effc20423d404cf3877cdb4af9be840a720962246408b2d7396362a9e5d613", "a4af59c1f044ff1290e47e74484163243591f56b7053c8b8d3e4ae320cecbac3", "941bc9193d9143d71e2c93803b0cbff511ec549f0c4f0093744cab6bedd4140a", "3f9075c30f63d67693f2f876212f702ddfe51834c73289718baf6e8fb2036039") and not (process.args : "$execWrapper" and process.name : "powershell.exe" and process.parent.name : "cmd.exe") and not (process.executable : "?:\\Program Files\\Malwarebytes\\Anti-Malware\\Malwarebytes.exe" and process.code_signature.subject_name == "Malwarebytes Inc." and process.code_signature.trusted == true) and not process.executable : ("\\Device\\HarddiskVolume?\\Windows\\System32\\*.exe", "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\*.exe") ] by process.parent.Ext.real.entity_id ''' min_endpoint_version = "7.15.0" [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[actions]] action = "kill_process" field = "process.entity_id" state = 1 [[optional_actions]] action = "rollback" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" [[threat.technique.subtechnique]] id = "T1134.004" name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "7.15.0"