Parent PID Spoofing (T1502)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Parent PID Spoofing

Associated Tactics

  • Defense Evasion
  • Privilege Escalation

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. DidierStevens SelectMyParent Nov 2009
Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. Microsoft UAC Nov 2018
Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. CounterCept PPID Spoofing Dec 2018
Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. CTD PPID Spoofing Macro Mar 2019
Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. XPNSec PPID Nov 2017
Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. Microsoft Process Creation Flags May 2018
Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. Secuirtyinbits Ataware3 May 2019