T1134.004 Parent PID Spoofing
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess
API call, which supports a parameter that defines the PPID to use.6 This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe
or consent.exe
) rather than the current user context.3
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe
rather than an Office document delivered as part of Spearphishing Attachment.2 This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.72
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe
), causing the new process to be elevated via the inherited access token.1
Item | Value |
---|---|
ID | T1134.004 |
Sub-techniques | T1134.001, T1134.002, T1134.003, T1134.004, T1134.005 |
Tactics | TA0005, TA0004 |
Platforms | Windows |
Permissions required | Administrator, User |
Version | 1.0 |
Created | 18 February 2020 |
Last Modified | 03 May 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0154 | Cobalt Strike | Cobalt Strike can spawn processes with alternate PPIDs.910 |
S0356 | KONNI | KONNI has used parent PID spoofing to spawn a new cmd process using CreateProcessW and a handle to Taskmgr.exe .8 |
S0501 | PipeMon | PipeMon can use parent PID spoofing to elevate privileges.11 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0009 | Process | OS API Execution |
References
-
Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. ↩
-
Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. ↩↩
-
Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. ↩
-
Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. ↩
-
Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. ↩
-
Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. ↩
-
Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. ↩
-
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. ↩
-
Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. ↩