mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
22 lines
958 B
YAML
22 lines
958 B
YAML
title: Parent PID Spoofing
|
|
description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName
|
|
limits scope heavily) as well as detecting the use of PPID-Spoof powershell script
|
|
through Command Scripts indicators. Update the TgtProcName list to filter noise.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion, Privilege Escalation
|
|
technique: T1134
|
|
subtechnique: 004
|
|
operating_system: windows
|
|
query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process
|
|
Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe")
|
|
AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel != "LOW" AND TgtProcName
|
|
Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
|
|
SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
|
|
false_positives:
|
|
- Cross Process indicators are noisy
|
|
tags:
|
|
|