rule: meta: name: spoof parent PID namespace: anti-analysis/anti-forensic authors: - michael.hunhoff@mandiant.com scope: basic block att&ck: - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004] references: - https://blog.f-secure.com/detecting-parent-pid-spoofing/ examples: - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002291 features: - and: - api: kernel32.UpdateProcThreadAttribute - number: 0x20000 = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS