rule:
  meta:
    name: spoof parent PID
    namespace: anti-analysis/anti-forensic
    authors:
      - michael.hunhoff@mandiant.com
    scope: basic block
    att&ck:
      - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]
    references:
      - https://blog.f-secure.com/detecting-parent-pid-spoofing/
    examples:
      - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002291
  features:
    - and:
      - api: kernel32.UpdateProcThreadAttribute
      - number: 0x20000 = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS