title: Parent PID Spoofing
description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName
  limits scope heavily) as well as detecting the use of PPID-Spoof powershell script
  through Command Scripts indicators. Update the TgtProcName list to filter noise.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1134
   subtechnique: 004
operating_system: windows
query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process
  Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe")
  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
false_positives: null
tags: null