auto-generated queries from markdown notes

queries/windows/parent_pid_spoofing.yml

@@ -0,0 +1,20 @@
+title: Parent PID Spoofing
+description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName
+  limits scope heavily) as well as detecting the use of PPID-Spoof powershell script
+  through Command Scripts indicators. Update the TgtProcName list to filter noise.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Privilege Escalation
+   technique: T1134
+   subtechnique: 004
+operating_system: windows
+query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process
+  Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe")
+  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
+  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
+  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
+false_positives: null
+tags: null
+