100 Days of Red Team

100 Days of Red Team

Share this post

100 Days of Red Team
100 Days of Red Team
What is PPID spoofing and how it enables red team trade-craft?

What is PPID spoofing and how it enables red team trade-craft?

Learn what is parent process ID (PPID) spoofing and how to use it for red team trade-craft.

Uday Mittal's avatar
Uday Mittal
Feb 25, 2025

Share this post

100 Days of Red Team
100 Days of Red Team
What is PPID spoofing and how it enables red team trade-craft?
Share

Imagine you're applying for a job, and the employer requires references. Normally, they would contact your previous employer to verify your background. However, if you don’t want them to find out your real history, you provide a fake reference who vouches for you. The company sees that your reference appears legitimate, even though it's a deception. Similarly, in PPID Spoofing, a process pretends to have been spawned by a legitimate parent, misleading security solutions into believing that it is benign.

Parent Process ID (PPID) Spoofing is a technique used to manipulate the parent-child relationship between processes in Windows. Normally, when a process is created, it inherits the Parent Process ID (PPID) from the process that spawned it. However, a red team operator can modify this behavior to create a process that appears to be spawned by a legitimate parent, thus evading detection from security solutions that rely on process lineage analysis.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

By default, security tools monitor process hierarchies to detect suspicious activities, such as malware spawning from non-standard parent processes (e.g., cmd.exe being launched from notepad.exe). PPID Spoofing allows red team operators to bypass these detection mechanisms by forging a legitimate parent process, such as explorer.exe, to make their malicious process blend into normal system activity.

PPID Spoofing is achieved by setting the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute. This allows the red team operator to specify an arbitrary parent process instead of inheriting the real parent. The flow for PPID spoofing is as follows:

  • Open a handle to the target parent process - The red team operator must first obtain a handle to a legitimate parent process (e.g., explorer.exe), usually with PROCESS_CREATE_PROCESS access rights.

  • Initialize the STARTUPINFOEX structure - This structure is an extended version of STARTUPINFO and allows the specification of advanced process creation attributes.

  • Set the PPID attribute - The PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute is set using UpdateProcThreadAttribute(), linking the new process to the chosen parent.

  • Create the new process with the spoofed parent - The malicious process is created using CreateProcess(), inheriting the spoofed PPID rather than the actual one.

Red Team Notes
- PPID Spoofing is a technique that allows a process to appear as if it was spawned by a different parent, bypassing security detections based on process lineage. This is achieved using the CreateProcess API with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS to assign a chosen parent process.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

  • Parent Process ID (PPID) Spoofing

  • PPID Spoofing: It’s Really this Easy to Fake Your Parent

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Share this post

100 Days of Red Team
100 Days of Red Team
What is PPID spoofing and how it enables red team trade-craft?
Share

Discussion about this post

User's avatar
Using Havoc C2 to bypass UAC
Demonstration of couple of UAC bypass methods using Havoc C2.
Feb 16 • 
Uday Mittal
1

Share this post

100 Days of Red Team
100 Days of Red Team
Using Havoc C2 to bypass UAC
Let's write a Beacon Object File for Havoc C2 - Part 1
Learn how to use Windows APIs in a Beacon Object File (BOF).
Feb 27 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Let's write a Beacon Object File for Havoc C2 - Part 1
Red Team Infrastructure - Deploying Havoc C2 via Terraform
Learn how to deploy Havoc C2 (team server and client) in AWS via Terraform.
May 17 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Red Team Infrastructure - Deploying Havoc C2 via Terraform

Ready for more?

© 2025 Uday Mittal
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.