Defense Evasion (TA0005)(external, opens in a new tab or window)
Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:/* This rule is compatible with Elastic Endpoint only */ sequence by host.id, user.id with maxspan=3m [process where host.os.type == "windows" and event.type == "start" and process.Ext.token.integrity_level_name != "system" and ( process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or (process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?:\\Windows\\Temp\\*.exe", "?:\\Windows\\Tasks\\*") and (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or process.executable : "?:\\Windows\\Microsoft.NET\\*.exe" ) and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.pid [process where host.os.type == "windows" and event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.parent.Ext.real.pid
Install detection rules in Elastic Security
Detect Parent Process PID Spoofing in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).