detection.wiki

ATT&CK coverage › Technique

Access Token Manipulation: Parent PID Spoofing T1134.004

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.

Events covered

1 catalog event are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation

Authoring guide

Patterns shared across the 1 rule above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (5 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image1ends_with 1\SelectMyParent.exe
Hashes1match 1IMPHASH=CA28337632625C8281AB8A130B3D6BAD, IMPHASH=89059503D7FBF470E68F7E63313DA3AD, IMPHASH=04D974875BD225F00902B4CAD9AF3FBC
Description1eq 1SelectMyParent
CommandLine1match 1ppidspoof, spoofppid, spoofedppid
OriginalFileName1match 1ppidspoof, spoofppid, spoofedppid

Top indicator values (21 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
OriginalFileNamematchspoof_ppid1
OriginalFileNamematchppid_spoof1
CommandLinematchPPID-spoof1
OriginalFileNamematchspoof-ppid1
OriginalFileNamematchPPID-spoof1
CommandLinematchppidspoof1
Imageends_with\SelectMyParent.exe12
CommandLinematchspoofppid1
CommandLinematchspoofedppid1
HashesmatchIMPHASH=CA28337632625C8281AB8A130B3D6BAD1
DescriptioneqSelectMyParent1
HashesmatchIMPHASH=89059503D7FBF470E68F7E63313DA3AD1
CommandLinematchspoof_ppid1
CommandLinematchppid_spoof1
OriginalFileNamematchppidspoof1
OriginalFileNamematchspoofedppid1
OriginalFileNamematchspoofppid1
HashesmatchIMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E1
CommandLinematch -spawnto 1
HashesmatchIMPHASH=04D974875BD225F00902B4CAD9AF3FBC1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 1 rule