Esc

Parent PID Spoofing - T1134.004

(ATT&CK® Technique)

Definition

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1134004["Parent PID Spoofing"] --> |invokes| CreateProcess["Create Process"]; class T1134004 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "../../../dao/artifact/d3f:CreateProcess";
        click T1134004 href "../../../offensive-technique/attack/T1134.004/"; click CreateProcess href "../../../dao/artifact/d3f:CreateProcess";             ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1134004["Parent PID Spoofing"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "../../../technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1134004["Parent PID Spoofing"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "../../../technique/d3f:SystemCallAnalysis";                           ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1134004["Parent PID Spoofing"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1134004["Parent PID Spoofing"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1134004["Parent PID Spoofing"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "../../../technique/d3f:Hardware-basedProcessIsolation";                                        SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1134004["Parent PID Spoofing"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "../../../technique/d3f:SystemCallFiltering";

json