[New Rule] Parent Process PID Spoofing (#1338)

* [New Rule] Parent Process PID Spoofing

* excluding sihost FPs

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* relinted and added 2 non ecs fields

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 81ab43898c)

etc/non-ecs-schema.json

@@ -12,5 +12,9 @@
   },
   "filebeat-*": {
     "o365.audit.NewValue": "keyword"
+  },
+  "logs-endpoint.events.*": {
+    "process.Ext.token.integrity_level_name": "keyword",
+	"process.parent.Ext.real.pid": "long"
   }
 }

rules/windows/defense_evasion_parent_process_pid_spoofing.toml

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2021/07/14"
+maturity = "production"
+updated_date = "2021/07/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
+of a new process to evade process-monitoring defenses or to elevate privileges.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Parent Process PID Spoofing"
+references = ["https://blog.didierstevens.com/2017/03/20/"]
+risk_score = 73
+rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+type = "eql"
+
+query = '''
+/* This rule is compatible with Elastic Endpoint only */
+
+sequence by host.id, user.id with maxspan=5m
+ [process where event.type == "start" and
+  process.Ext.token.integrity_level_name != "system" and
+  (
+    process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
+                                     "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
+                                     "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
+                                     "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or
+    process.executable : ("?:\\Users\\*.exe",
+                          "?:\\ProgramData\\*.exe",
+                          "?:\\Windows\\Microsoft.NET\\*.exe",
+                          "?:\\Windows\\Temp\\*.exe",
+                          "?:\\Windows\\Tasks\\*") or
+    process.code_signature.trusted != true
+  )
+  ] by process.pid
+ [process where event.type == "start" and process.parent.Ext.real.pid > 0 and
+  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
+  
+  not (process.name : "msedge.exe" and process.parent.name : "sihost.exe")
+ ] by process.parent.Ext.real.pid
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Access Token Manipulation"
+id = "T1134"
+reference = "https://attack.mitre.org/techniques/T1134/"
+[[rule.threat.technique.subtechnique]]
+name = "Parent PID Spoofing"
+id = "T1134.004"
+reference = "https://attack.mitre.org/techniques/T1134/004/"
+
+
+
+[rule.threat.tactic]
+name = "Defense Evasion"
+id = "TA0005"
+reference = "https://attack.mitre.org/tactics/TA0005/"