Parent Process Identifier Spoofing

PPID spoofing is a way for attackers to start programs with whatever parent process they want. This lets attackers make it look like their programs were started by someone else instead of the person who started them. It might help them avoid getting caught by detecting systems that look for parent/child process relationships.

Technical links

• T1134.004

Usage

CLI

mtg traces processes spoofing C:/windows/notepad.exe RuntimeBroker.exe

File configuration

[[traces]]
[traces.spoofing]
executable= "C:/windows/notepad.exe"
parent_executable= "RuntimeBroker.exe"