π PPID spoofing β
PPID Spoofing (Parent Process ID Spoofing) is a technique used by attackers to manipulate the Parent Process ID (PPID) of a newly created process. This is commonly done to blend malicious activity with legitimate processes, making detection harder for security solutions such as EDRs and SIEMs.
When a new process is created in Windows, it inherits the PPID from the process that spawned it. By spoofing the PPID, an attacker can make their malicious process appear as if it was launched by a trusted system process, such as explorer.exe or lsass.exe.
π How PPID Spoofing Works β
Identify a Legitimate Parent Process : The attacker chooses a process that is commonly trusted by security tools, such as svchost.exe or svchost.exe.
Retrieve the Target PPID : Using Windows API calls, the attacker fetches the process ID (PID) of the chosen legitimate process.
Create a Process with a Spoofed PPID : Instead of using the default PPID, the attacker creates a new process and explicitly sets its parent to the chosen process.