Imagine you're applying for a job, and the employer requires references. Normally, they would contact your previous employer to verify your background. However, if you don’t want them to find out your real history, you provide a fake reference who vouches for you. The company sees that your reference appears legitimate, even though it's a deception. Similarly, in PPID Spoofing, a process pretends to have been spawned by a legitimate parent, misleading security solutions into believing that it is benign.

Parent Process ID (PPID) Spoofing is a technique used to manipulate the parent-child relationship between processes in Windows. Normally, when a process is created, it inherits the Parent Process ID (PPID) from the process that spawned it. However, a red team operator can modify this behavior to create a process that appears to be spawned by a legitimate parent, thus evading detection from security solutions that rely on process lineage analysis.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

By default, security tools monitor process hierarchies to detect suspicious activities, such as malware spawning from non-standard parent processes (e.g., cmd.exe being launched from notepad.exe). PPID Spoofing allows red team operators to bypass these detection mechanisms by forging a legitimate parent process, such as explorer.exe, to make their malicious process blend into normal system activity.

PPID Spoofing is achieved by setting the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute. This allows the red team operator to specify an arbitrary parent process instead of inheriting the real parent. The flow for PPID spoofing is as follows:

• Open a handle to the target parent process - The red team operator must first obtain a handle to a legitimate parent process (e.g., explorer.exe), usually with PROCESS_CREATE_PROCESS access rights.

• Initialize the STARTUPINFOEX structure - This structure is an extended version of STARTUPINFO and allows the specification of advanced process creation attributes.

• Set the PPID attribute - The PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute is set using UpdateProcThreadAttribute(), linking the new process to the chosen parent.

• Create the new process with the spoofed parent - The malicious process is created using CreateProcess(), inheriting the spoofed PPID rather than the actual one.

Red Team Notes
- PPID Spoofing is a technique that allows a process to appear as if it was spawned by a different parent, bypassing security detections based on process lineage. This is achieved using the CreateProcess API with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS to assign a chosen parent process.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

• Parent Process ID (PPID) Spoofing

• PPID Spoofing: It’s Really this Easy to Fake Your Parent