EXPLORE
Sign In
← Back to Explore
T1134.004

Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Window...

Windows
6
Detections
3
Sources
0
Threat Actors

BY SOURCE

3elastic2splunk_escu1sigma

PROCEDURES (6)

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Child Process1 detections

Auto-extracted: 1 detections for child process

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

DETECTIONS (6)

HackTool - PPID Spoofing SelectMyParent Tool Execution
sigmahigh
Parent Process PID Spoofing
elastichigh
Privileges Elevation via Parent Process PID Spoofing
elastichigh
Unusual Parent-Child Relationship
elasticmedium
Windows Parent PID Spoofing with Explorer
splunk_escu
Wscript Or Cscript Suspicious Child Process
splunk_escu