PPID欺骗

对手可能会欺骗新进程的父进程标识符（PPID），以逃避进程监视防御或提升特权。除非明确指定，否则通常直接从其父进程或调用进程中产生新进程。显式分配新进程的PPID的一种方法是通过CreateProcessAPI调用，该调用支持定义要使用的PPID的参数。Windows功能（例如，用户帐户控制（UAC））使用此功能来在系统（通常是通过svchost.exe或consent.exe）而不是当前用户上下文生成请求的提升进程后正确设置PPID 。

对手可能滥用这些机制来逃避防御，如阻塞进程直接从Office文档，并分析产卵针对不同寻常的/潜在的恶意父子进程的关系，如欺骗的PPID的PowerShell(T1086)/Rundll32(T1085)是explorer.exe，而不是交付Office文档作为鱼叉附件的(T1193)一部分。可以通过恶意Office文档中的VBA脚本(T1064)或可以通过API(T1106)执行S执行的(T1106)任何代码来执行此欺骗。

明确分配PPID还可以启用特权升级(TA0004)（对父进程具有适当的访问权限）。例如，特权用户上下文中的对手（即管理员）可以产生一个新进程，并将父进程分配为以SYSTEM（例如）身份运行的进程lsass.exe，从而通过继承的访问令牌提升新进程。

Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.[1] This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.This spoofing could be executed via VBA Scripting within a malicious Office document or any code that can perform Execution through API.

Explicitly assigning the PPID may also enable Privilege Escalation (given appropriate access rights to the parent process). For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.

标签

ID编号： T1502

策略： 防御逃避，特权升级

平台： Windows

所需权限： user，administrator

数据源： Windows事件日志，进程监视，API监视

绕过防御： 主机取证分析，启发式检测

程序示例

名称	描述
Cobalt Strike(S0154)	Cobalt Strike(S0154)可以生成具有备用PPID的进程。

Name	Description
Cobalt Strike(S0154)	Cobalt Strike(S0154) can spawn processes with alternate PPIDs.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

查找存储PPID信息的各个字段之间的不一致，例如通过Windows事件跟踪（ETW）收集的数据中的EventHeader ProcessId，Windows事件日志中的Creator Process ID / Name以及ProcessID和ParentProcessID（它们也是从ETW和其他实用程序，例如任务管理器和流程资源管理器）。ETW提供的EventHeader ProcessId标识实际的父进程。

监视和分析对CreateProcess/的API调用CreateProcessA，特别是来自用户/潜在恶意进程的API调用，并使用显式分配PPID的参数（例如：进程创建标志0x8XXX，指示正在使用扩展的启动信息创建进程）。CreateProcess/的恶意使用CreateProcessA也可能会通过调用来进行UpdateProcThreadAttribute，这可能是更新流程创建属性所必需的。这可能会因正常的UAC抬高行为而产生误报，因此，如果可能，请与系统基准/正常系统活动的理解进行比较。

Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.