Skip to content

Latest commit

 

History

History
256 lines (155 loc) · 9.86 KB

T1134.004.md

File metadata and controls

256 lines (155 loc) · 9.86 KB

T1134.004 - Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)

Atomic Tests


Atomic Test #1 - Parent PID Spoofing using PowerShell

This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and calc.exe will be launched.

Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
parent_process_name Name of the parent process string explorer
spawnto_process_path Path of the process to spawn path C:\Program Files\Internet Explorer\iexplore.exe
dll_process_name Name of the created process from the injected dll string calculator
dll_path Path of the dll to inject path PathToAtomicsFolder\T1134.004\bin\calc.dll
spawnto_process_name Name of the process to spawn string iexplore

Attack Commands: Run with powershell!

. $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"

Cleanup Commands:

Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: DLL to inject must exist on disk at specified location (#{dll_path})
Check Prereq Commands:
if (Test-Path #{dll_path}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"


Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process

Spawns a powershell.exe process as a child of the current process.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_path File path or name of process to spawn path $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
parent_pid PID of process to spawn from string $PID
command_line Specified command line to use string -Command Start-Sleep 10

Attack Commands: Run with powershell!

Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
Check Prereq Commands:
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
Get Prereq Commands:
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force


Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process

Spawns a notepad.exe process as a child of the current process.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
parent_pid PID of process to spawn from string $PID
test_guid Defined test GUID string 12345678-1234-1234-1234-123456789123

Attack Commands: Run with powershell!

Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid #{test_guid}

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
Check Prereq Commands:
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
Get Prereq Commands:
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force


Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe

Spawnd a process as a child of the first accessible svchost.exe process.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
command_line Specified command line to use string -Command Start-Sleep 10
file_path File path or name of process to spawn path $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe

Attack Commands: Run with powershell!

Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
Check Prereq Commands:
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
Get Prereq Commands:
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force


Atomic Test #5 - Parent PID Spoofing - Spawn from New Process

Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
command_line Specified command line to use string -Command Start-Sleep 10
file_path File path or name of process to spawn path $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
parent_name Parent process to spoof from path $Env:windir\System32\notepad.exe

Attack Commands: Run with powershell!

Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
Check Prereq Commands:
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
Get Prereq Commands:
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force