› › ›

父进程 PID 欺骗

编辑

父进程 PID 欺骗编辑

识别用于阻止检测的父进程欺骗。攻击者可能会欺骗新进程的父进程标识符 (PPID)，以逃避进程监控防御或提升权限。

规则类型: eql

规则索引:

logs-endpoint.events.process-*

严重性: 高

风险评分: 73

每隔运行: 5m

从以下时间开始搜索索引: now-9m (日期数学格式，另请参阅 附加回溯时间)

每次执行的最大警报数: 100

参考:

https://blog.didierstevens.com/2017/03/20/

标签:

域：端点
操作系统：Windows
用例：威胁检测
策略：防御规避
策略：权限提升
数据源：Elastic Defend

版本: 106

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询编辑

/* This rule is compatible with Elastic Endpoint only */

sequence by host.id, user.id with maxspan=3m

 [process where host.os.type == "windows" and event.type == "start" and
  process.Ext.token.integrity_level_name != "system" and
  (
    process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
                                     "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
                                     "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
                                     "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or

    (process.executable : ("?:\\Users\\*.exe",
                           "?:\\ProgramData\\*.exe",
                           "?:\\Windows\\Temp\\*.exe",
                           "?:\\Windows\\Tasks\\*") and
      (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or

    process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"
  ) and

  not process.executable :
             ("?:\\Windows\\System32\\WerFaultSecure.exe",
              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
              "?:\\Windows\\System32\\WerFault.exe",
              "?:\\Windows\\SysWOW64\\WerFault.exe")
  ] by process.pid
 [process where host.os.type == "windows" and event.type == "start" and
  process.parent.Ext.real.pid > 0 and

  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
  not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and

   not process.executable :
             ("?:\\Windows\\System32\\WerFaultSecure.exe",
              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
              "?:\\Windows\\System32\\WerFault.exe",
              "?:\\Windows\\SysWOW64\\WerFault.exe")
 ] by process.parent.Ext.real.pid

框架: MITRE ATT&CK^TM

策略
- 名称：防御规避
- ID：TA0005
- 参考 URL：https://attack.mitre.org/tactics/TA0005/
技术
- 名称：访问令牌操作
- ID：T1134
- 参考 URL：https://attack.mitre.org/techniques/T1134/
子技术
- 名称：父 PID 欺骗
- ID：T1134.004
- 参考 URL：https://attack.mitre.org/techniques/T1134/004/
策略
- 名称：权限提升
- ID：TA0004
- 参考 URL：https://attack.mitre.org/tactics/TA0004/
技术
- 名称：访问令牌操作
- ID：T1134
- 参考 URL：https://attack.mitre.org/techniques/T1134/
子技术
- 名称：父 PID 欺骗
- ID：T1134.004
- 参考 URL：https://attack.mitre.org/techniques/T1134/004/