ETW Part 2: Process Parent Spoofing
Photo by Man Chung on Unsplash
Process Parent Spoofing
A lot of the current state of the art detection techniques rely on process creation logs, and their implied parent/child relationships. For example, many detection rules alert when Powershell is launched from WinWord.exe as it typically indicates a macro has started a powershell payload. You can also read this story here.
Many people are sometimes surprised to learn that on Windows parent/child process…