父进程PID欺骗
编辑父进程PID欺骗
编辑识别用于阻止检测的父进程欺骗。攻击者可能会欺骗新进程的父进程标识符 (PPID),以逃避进程监控防御或提升权限。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 高
风险评分: 73
每隔: 5分钟
搜索索引自: now-9m (日期数学格式,另请参见 其他回溯时间
)
每次执行的最大告警数: 100
参考:
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 战术:防御规避
- 战术:权限提升
- 数据源:Elastic Defend
版本: 107
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑/* This rule is compatible with Elastic Endpoint only */ sequence by host.id, user.id with maxspan=3m [process where host.os.type == "windows" and event.type == "start" and process.Ext.token.integrity_level_name != "system" and ( process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or (process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?:\\Windows\\Temp\\*.exe", "?:\\Windows\\Tasks\\*") and (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or process.executable : "?:\\Windows\\Microsoft.NET\\*.exe" ) and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.pid [process where host.os.type == "windows" and event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.parent.Ext.real.pid
框架: MITRE ATT&CKTM
-
战术
- 名称:防御规避
- ID:TA0005
- 参考URL:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:访问令牌操作
- ID:T1134
- 参考URL:https://attack.mitre.org/techniques/T1134/
-
子技术
- 名称:父PID欺骗
- ID:T1134.004
- 参考URL:https://attack.mitre.org/techniques/T1134/004/
-
战术
- 名称:权限提升
- ID:TA0004
- 参考URL:https://attack.mitre.org/tactics/TA0004/
-
技术
- 名称:访问令牌操作
- ID:T1134
- 参考URL:https://attack.mitre.org/techniques/T1134/
-
子技术
- 名称:父PID欺骗
- ID:T1134.004
- 参考URL:https://attack.mitre.org/techniques/T1134/004/