T1134.004 · threatengine.sh

Home/ATT&CK Technique/Parent PID Spoofing

ATT&CK Technique

Parent PID Spoofing

T1134.004 · stealth, privilege-escalation

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.

This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context. Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.

Windows

◆

Actors Using This

1

russia_speaking_organized_cybercrimeDarkGate Operators

▸

Atomic Tests

5

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

powershellwindowsParent PID Spoofing using PowerShell

This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and calc.exe will be launched. Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)

. "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"

powershellwindowsParent PID Spoofing - Spawn from Current Process

Spawns a powershell.exe process as a child of the current process.

Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}

powershellwindowsParent PID Spoofing - Spawn from Specified Process

Spawns a notepad.exe process as a child of the current process.

Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid #{test_guid}

powershellwindowsParent PID Spoofing - Spawn from svchost.exe

Spawnd a process as a child of the first accessible svchost.exe process.

Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'

powershellwindowsParent PID Spoofing - Spawn from New Process

Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.

Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'

◈

Detection Coverage

1/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 1

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

▣

Comply & Defend

D3FEND6 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin