100 Days of YARA – Day 22: Parent Process ID Spoofing

Parent Process ID Spoofing is used by malware sometimes to camouflage malware’s true parent, thus confusing an analyst or systems administrator. Malware processes that have unlikely parent processes stand out prominently when viewing process lists on an infected host.

This technique is outlined in detail here: https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing

These rules generate some false positives but may be useful.

import "pe"

rule ppid_spoofing
{
	meta:
		author = "Daniel Roberson"
		description = "Contains imports necessary to implement Parent Process ID (PPID) spoofing"

	condition:
		uint16(0) == 0x5a4d and
		pe.imports("kernel32.dll", "InitializeProcThreadAttributeList") and
		pe.imports("kernel32.dll", "OpenProcess") and
		pe.imports("kernel32.dll", "DuplicateHandle") and
		pe.imports("kernel32.dll", "UpdateProcThreadAttribute") and (pe.imports("kernel32.dll", "CreateProcessA") or pe.imports("kernel32.dll", "CreateProcessW"))
}

Alternatively, this broader rule may match on malicious scripts:

rule ppid_spoofing_broad
{
	meta:
		description = "Contains imports necessary to implement Parent Process ID (PPID) spoofing"

	strings:
		$ = "InitializeProcThreadAttributeList" wide ascii
		$ = "OpenProcess" wide ascii
		$ = "DuplicateHandle" wide ascii
		$ = "UpdateProcThreadAttribute" wide ascii
		$ = "CreateProcess" wide ascii

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 22: Parent Process ID Spoofing

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s