Description
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
Platforms
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Tas... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can spawn processes with alternate PPIDs.(Citation: CobaltStrike Daddy May 2017)(Citation: Co... |
| S0501 | PipeMon | Malware | [PipeMon](https://attack.mitre.org/software/S0501) can use parent PID spoofing to elevate privileges.(Citation: ESET PipeMon May 2020) |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via T... |
References
- Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.
- Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.
- Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.
- Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.
- Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.
Frequently Asked Questions
What is T1134.004 (Parent PID Spoofing)?
T1134.004 is a MITRE ATT&CK technique named 'Parent PID Spoofing'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their paren...
How can T1134.004 be detected?
Detection of T1134.004 (Parent PID Spoofing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1134.004?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1134.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.