Find sigma rule
Attack: Access Token Manipulation: Parent PID Spoofing
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess
API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe
or consent.exe
) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe
rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe
), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
MITRE
Tactic
- privilege-escalation
- defense-evasion
technique
- T1134.004
Test : Parent PID Spoofing - Spawn from svchost.exe
OS
- windows
Description:
Spawnd a process as a child of the first accessible svchost.exe process.
Executor
powershell
Sigma Rule
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
-
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)
-
posh_ps_susp_windowstyle.yml (id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c)
-
posh_ps_susp_networkcredential.yml (id: 1883444f-084b-419b-ac62-e0d0c5b3693f)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_copy_item_system_directory.yml (id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd)