T1134.004

Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. By calling CreateProcess with a PROC_THREAD_ATTRIBUTE_PARENT_PROCESS entry in the process attribute list, an attacker can assign any running process as the apparent parent of the newly spawned child. Security tools that rely on parent-child process lineage for detection see only the spoofed parent, masking the true origin. This technique is also exploited for privilege escalation: by opening a handle to a SYSTEM-level process such as lsass.exe and using it as the spoofed parent, the child process inherits the SYSTEM access token. Used in the wild by Cobalt Strike, KONNI, PipeMon, and DarkGate.

Microsoft Sentinel / Defender

kusto

// T1134.004 — Parent PID Spoofing
// Branch 1: High-privilege system processes spoofed as parents — these never legitimately spawn interactive tools or LOLBins
let HighValueSpoofTargets = dynamic(["lsass.exe", "wininit.exe", "smss.exe", "csrss.exe", "winlogon.exe", "services.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "certutil.exe", "bitsadmin.exe", "cmstp.exe", "installutil.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (HighValueSpoofTargets)
| where FileName has_any (SuspiciousChildren)
| extend SpoofBranch = "HighPrivilegeParentSpawn"
| union (
    // Branch 2: Integrity level mismatch — SYSTEM child spawned from Medium/Low/High integrity parent
    // Legitimate SYSTEM processes spawn SYSTEM children; a mismatch indicates token inheritance via spoofed parent handle
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessIntegrityLevel == "System"
    | where InitiatingProcessIntegrityLevel in~ ("Medium", "Low", "High")
    | where FileName has_any (SuspiciousChildren)
    | extend SpoofBranch = "IntegrityMismatchElevation"
)
| union (
    // Branch 3: explorer.exe as parent of a SYSTEM-integrity process — impossible in normal Windows operation
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName =~ "explorer.exe"
    | where ProcessIntegrityLevel == "System"
    | extend SpoofBranch = "ExplorerSystemChild"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         InitiatingProcessParentFileName, ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
         SpoofBranch
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint Process: OS API Execution

Required Tables

DeviceProcessEvents

False Positives

UAC elevation mediated by consent.exe may briefly show svchost.exe as a parent during token reassignment in certain Windows versions before the handoff completes
Enterprise EDR or AV agents that use indirect process spawning for self-protection modules may appear with unexpected parent process assignments in telemetry
Windows Remote Management (WinRM) and PowerShell remoting sessions may produce unusual parent-child relationships when executing cmdlets via the wsmprovhost.exe service host
SCCM/ConfigMgr client agent (CcmExec.exe) spawning PowerShell or cmd.exe for software deployment tasks may produce apparent process tree anomalies from service context

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageShort=lower(replace(ParentImage, ".*\\\\", ""))
| eval ImageShort=lower(replace(Image, ".*\\\\", ""))
| eval IsHighValueSpoofParent=if(match(ParentImageShort, "^(lsass|wininit|smss|csrss|winlogon|services)\.exe$"), 1, 0)
| eval IsSuspiciousChild=if(match(ImageShort, "^(cmd|powershell|pwsh|rundll32|regsvr32|mshta|wscript|cscript|msbuild|certutil|bitsadmin|cmstp|installutil)\.exe$"), 1, 0)
| eval IsHighValueAndSuspicious=if(IsHighValueSpoofParent=1 AND IsSuspiciousChild=1, 1, 0)
| eval IsIntegrityMismatch=if(IntegrityLevel="System" AND NOT match(ParentImageShort, "^(lsass|wininit|smss|csrss|winlogon|services|system|ntoskrnl)\.exe$") AND IsSuspiciousChild=1, 1, 0)
| eval IsExplorerSystemChild=if(ParentImageShort="explorer.exe" AND IntegrityLevel="System", 1, 0)
| eval SpoofScore=IsHighValueAndSuspicious + IsIntegrityMismatch + IsExplorerSystemChild
| where SpoofScore > 0
| eval SpoofBranch=case(
    IsHighValueAndSuspicious=1 AND IsIntegrityMismatch=1, "HighPrivilege+IntegrityMismatch",
    IsHighValueAndSuspicious=1, "HighPrivilegeParentSpawn",
    IsIntegrityMismatch=1, "IntegrityMismatchElevation",
    IsExplorerSystemChild=1, "ExplorerSystemChild",
    true(), "MultipleIndicators"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IntegrityLevel, ProcessId, ProcessGuid, SpoofBranch, SpoofScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

UAC consent.exe elevation flows may produce system-process parent assignments during token handoff in some Windows 10/11 configurations
Security products (CrowdStrike, SentinelOne, Carbon Black) using kernel-level process injection for protection modules may appear as anomalous parent-child pairs
Windows Subsystem for Linux (WSL2) process trees can produce unusual parent-child relationships that resemble PPID anomalies when crossing the WSL boundary
SCCM/Intune management agents deploying scripts via CcmExec.exe or the Intune Management Extension service may produce shell spawns with unexpected service process parents

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5s
[
  // Branch 1: High-privilege system process spawning suspicious child tools
  process where event.type == "start" and
  process.parent.name in~ ("lsass.exe", "wininit.exe", "smss.exe", "csrss.exe", "winlogon.exe", "services.exe") and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "regsvr32.exe",
                    "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "certutil.exe",
                    "bitsadmin.exe", "cmstp.exe", "installutil.exe")
] by process.parent.pid

// Standalone query for all three branches (use as separate search)
/*
process where event.type == "start" and
(
  // Branch 1: Spoofed high-value parent spawning LOLBin/shell
  (
    process.parent.name in~ ("lsass.exe", "wininit.exe", "smss.exe", "csrss.exe", "winlogon.exe", "services.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "regsvr32.exe",
                      "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "certutil.exe",
                      "bitsadmin.exe", "cmstp.exe", "installutil.exe")
  ) or
  // Branch 2: SYSTEM integrity child from non-SYSTEM integrity parent
  (
    process.token.integrity_level_name == "system" and
    process.parent.token.integrity_level_name in ("medium", "low", "high") and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "regsvr32.exe",
                      "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "certutil.exe",
                      "bitsadmin.exe", "cmstp.exe", "installutil.exe")
  ) or
  // Branch 3: explorer.exe parent of a SYSTEM-integrity process
  (
    process.parent.name =~ "explorer.exe" and
    process.token.integrity_level_name == "system"
  )
)
*/

high severity high confidence

Data Sources

Endpoint Windows Process Telemetry

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate security tools or EDR agents that use CreateProcess with explicit parent handles for process injection monitoring or sandboxing may trigger Branch 2 integrity mismatch alerts
Windows system updates and patching tools (Windows Update, SCCM/MECM) occasionally spawn elevated child processes in ways that may produce anomalous parent-child telemetry, particularly during component servicing
Virtualization or containerization software (Hyper-V, Docker Desktop) may produce unusual process lineage that resembles integrity mismatches due to their privileged operation model

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "ParentImage",
  "Image",
  "CommandLine",
  "ParentCommandLine",
  "IntegrityLevel",
  "ProcessId",
  "ProcessGuid",
  CASE
    WHEN LOWER("ParentImageShort") IN ('lsass.exe','wininit.exe','smss.exe','csrss.exe','winlogon.exe','services.exe')
     AND LOWER("ImageShort") IN ('cmd.exe','powershell.exe','pwsh.exe','rundll32.exe','regsvr32.exe','mshta.exe','wscript.exe','cscript.exe','msbuild.exe','certutil.exe','bitsadmin.exe','cmstp.exe','installutil.exe')
     THEN 'HighPrivilegeParentSpawn'
    WHEN "IntegrityLevel" = 'System'
     AND LOWER("ParentImageShort") NOT IN ('lsass.exe','wininit.exe','smss.exe','csrss.exe','winlogon.exe','services.exe','system','ntoskrnl.exe')
     AND LOWER("ImageShort") IN ('cmd.exe','powershell.exe','pwsh.exe','rundll32.exe','regsvr32.exe','mshta.exe','wscript.exe','cscript.exe','msbuild.exe','certutil.exe','bitsadmin.exe','cmstp.exe','installutil.exe')
     THEN 'IntegrityMismatchElevation'
    WHEN LOWER("ParentImageShort") = 'explorer.exe' AND "IntegrityLevel" = 'System'
     THEN 'ExplorerSystemChild'
    ELSE 'MultipleIndicators'
  END AS spoof_branch
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND QIDNAME(qid) ILIKE '%process create%'
  AND starttime > NOW() - 1 DAYS
  AND (
    -- Branch 1: High-value system process as apparent parent of LOLBin/shell
    (
      LOWER("ParentImage") MATCHES '.*\\(lsass|wininit|smss|csrss|winlogon|services)\.exe'
      AND LOWER("Image") MATCHES '.*\\(cmd|powershell|pwsh|rundll32|regsvr32|mshta|wscript|cscript|msbuild|certutil|bitsadmin|cmstp|installutil)\.exe'
    )
    OR
    -- Branch 2: SYSTEM integrity child from non-SYSTEM, non-privileged parent
    (
      "IntegrityLevel" = 'System'
      AND NOT LOWER("ParentImage") MATCHES '.*\\(lsass|wininit|smss|csrss|winlogon|services|system|ntoskrnl)\.exe'
      AND LOWER("Image") MATCHES '.*\\(cmd|powershell|pwsh|rundll32|regsvr32|mshta|wscript|cscript|msbuild|certutil|bitsadmin|cmstp|installutil)\.exe'
    )
    OR
    -- Branch 3: explorer.exe parent of SYSTEM-integrity process
    (
      LOWER("ParentImage") MATCHES '.*\\explorer\.exe'
      AND "IntegrityLevel" = 'System'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Sysmon via Windows Event Forwarding Microsoft Windows Sysmon

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that invoke processes via Windows APIs with explicit parent handles may appear as integrity mismatches when deploying SYSTEM-level configurations
Endpoint Detection and Response (EDR) agents that instrument CreateProcess calls for behavioral monitoring may occasionally generate synthetic parent-child relationships that trigger Branch 2
Windows Subsystem for Linux (WSL2) process creation can produce unusual parent-child relationships in Sysmon telemetry that superficially resemble PPID spoofing patterns

Sumo Logic CSE

sql

// T1134.004 — Parent PID Spoofing — Sumo Logic CSE / Log Analytics
_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1" or metadata_eventType = "PROCESS_CREATION"
// Normalize image paths to just filename
| parse regex field=ParentImage "(?:.*\\\\)?(?<ParentImageShort>[^\\\\]+$)" nodrop
| parse regex field=Image "(?:.*\\\\)?(?<ImageShort>[^\\\\]+$)" nodrop
| toLowerCase(ParentImageShort) as ParentImageShort
| toLowerCase(ImageShort) as ImageShort
// Branch evaluation
| if(ParentImageShort in ("lsass.exe","wininit.exe","smss.exe","csrss.exe","winlogon.exe","services.exe"), 1, 0) as IsHighValueParent
| if(ImageShort in ("cmd.exe","powershell.exe","pwsh.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","msbuild.exe","certutil.exe","bitsadmin.exe","cmstp.exe","installutil.exe"), 1, 0) as IsSuspiciousChild
| if(IsHighValueParent = 1 and IsSuspiciousChild = 1, 1, 0) as Branch1_HighPrivSpawn
| if(
    IntegrityLevel = "System"
    and !matches(ParentImageShort, "/(lsass|wininit|smss|csrss|winlogon|services|system|ntoskrnl)\.exe/")
    and IsSuspiciousChild = 1,
    1, 0
  ) as Branch2_IntegrityMismatch
| if(
    ParentImageShort = "explorer.exe" and IntegrityLevel = "System",
    1, 0
  ) as Branch3_ExplorerSystemChild
| where Branch1_HighPrivSpawn = 1 or Branch2_IntegrityMismatch = 1 or Branch3_ExplorerSystemChild = 1
| if(Branch1_HighPrivSpawn = 1 and Branch2_IntegrityMismatch = 1, "HighPrivilege+IntegrityMismatch",
    if(Branch1_HighPrivSpawn = 1, "HighPrivilegeParentSpawn",
      if(Branch2_IntegrityMismatch = 1, "IntegrityMismatchElevation",
        if(Branch3_ExplorerSystemChild = 1, "ExplorerSystemChild", "MultipleIndicators")
      )
    )
  ) as SpoofBranch
| toInt(Branch1_HighPrivSpawn) + toInt(Branch2_IntegrityMismatch) + toInt(Branch3_ExplorerSystemChild) as SpoofScore
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IntegrityLevel, ProcessId, ProcessGuid, SpoofBranch, SpoofScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon Windows Security Events Sumo Logic CSE Normalized Schema

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*endpoint*

False Positives

Privileged IT automation frameworks (Ansible, Puppet, Chef) that execute tasks under SYSTEM context via scheduled tasks or services may produce parent-child lineage that triggers Branch 2 integrity mismatch detections
Windows Remote Management (WinRM) and PowerShell remoting sessions can produce process trees where the apparent parent is a non-SYSTEM process but the spawned child runs with SYSTEM integrity due to credential delegation
Some AV/EDR products perform trusted process injection or process creation with custom parent attributes as part of their protective functionality, generating telemetry that resembles PPID spoofing

Google Chronicle / SecOps

yaral

rule t1134_004_parent_pid_spoofing {
  meta:
    author = "df00tech"
    description = "Detects Parent PID Spoofing (T1134.004) via three branches: high-privilege system processes appearing to spawn LOLBins/shells (impossible without PPID spoofing), SYSTEM-integrity children parented by lower-integrity processes, and explorer.exe parenting SYSTEM-integrity processes."
    mitre_attack_tactic = "Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1134.004"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1134/004/"
    version = "1.0"
    created = "2026-04-18"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname

    // Normalize parent and child process names
    re.capture($proc.target.process.file.full_path, `[^\\]+$`) = $child_name
    re.capture($proc.principal.process.file.full_path, `[^\\]+$`) = $parent_name

    // Branch 1: High-privilege system parent spawning suspicious child
    // Branch 2: SYSTEM child from non-SYSTEM parent  
    // Branch 3: explorer.exe parenting SYSTEM process
    (
      (
        re.regex($parent_name, `(?i)^(lsass|wininit|smss|csrss|winlogon|services)\.exe$`) and
        re.regex($child_name, `(?i)^(cmd|powershell|pwsh|rundll32|regsvr32|mshta|wscript|cscript|msbuild|certutil|bitsadmin|cmstp|installutil)\.exe$`)
      ) or
      (
        $proc.target.process.integrity_level_rid = 16384 and  // SYSTEM integrity
        not re.regex($parent_name, `(?i)^(lsass|wininit|smss|csrss|winlogon|services|system|ntoskrnl)\.exe$`) and
        re.regex($child_name, `(?i)^(cmd|powershell|pwsh|rundll32|regsvr32|mshta|wscript|cscript|msbuild|certutil|bitsadmin|cmstp|installutil)\.exe$`)
      ) or
      (
        re.regex($parent_name, `(?i)^explorer\.exe$`) and
        $proc.target.process.integrity_level_rid = 16384  // SYSTEM integrity
      )
    )

  condition:
    $proc
}

high severity medium confidence

Data Sources

Google Chronicle UDM Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Security orchestration tools and SOAR platforms that create processes with specific parent handles for forensic artifact collection or triage automation may trigger Branch 1 or Branch 2 detections
Windows Task Scheduler running tasks under SYSTEM context where the initiating user-mode trigger process appears in telemetry as the parent can create apparent integrity mismatches in Chronicle UDM normalized data
Custom LOB application launchers that use Windows job objects or explicit parent process attributes for process group management may generate unusual parent-child relationships resembling PPID spoofing

CrowdStrike LogScale (CQL)

cql

// T1134.004 — Parent PID Spoofing — CrowdStrike LogScale (Falcon)
// Uses ProcessRollup2 events from Falcon sensor telemetry

#event_simpleName = ProcessRollup2

// Normalize process names from full paths
| ParentBaseFileName := replace("ParentImageFileName", regex=".*\\\\", with="")
| ChildBaseFileName := replace("ImageFileName", regex=".*\\\\", with="")
| ParentBaseFileNameLower := lower(ParentBaseFileName)
| ChildBaseFileNameLower := lower(ChildBaseFileName)

// Define indicator flags for each branch
| IsHighValueParent := if(
    ParentBaseFileNameLower = "lsass.exe" or
    ParentBaseFileNameLower = "wininit.exe" or
    ParentBaseFileNameLower = "smss.exe" or
    ParentBaseFileNameLower = "csrss.exe" or
    ParentBaseFileNameLower = "winlogon.exe" or
    ParentBaseFileNameLower = "services.exe",
    then="1", else="0"
  )

| IsSuspiciousChild := if(
    ChildBaseFileNameLower = "cmd.exe" or
    ChildBaseFileNameLower = "powershell.exe" or
    ChildBaseFileNameLower = "pwsh.exe" or
    ChildBaseFileNameLower = "rundll32.exe" or
    ChildBaseFileNameLower = "regsvr32.exe" or
    ChildBaseFileNameLower = "mshta.exe" or
    ChildBaseFileNameLower = "wscript.exe" or
    ChildBaseFileNameLower = "cscript.exe" or
    ChildBaseFileNameLower = "msbuild.exe" or
    ChildBaseFileNameLower = "certutil.exe" or
    ChildBaseFileNameLower = "bitsadmin.exe" or
    ChildBaseFileNameLower = "cmstp.exe" or
    ChildBaseFileNameLower = "installutil.exe",
    then="1", else="0"
  )

// Branch 1: High-privilege spoofed parent + suspicious child
| Branch1 := if(IsHighValueParent = "1" and IsSuspiciousChild = "1", then="1", else="0")

// Branch 2: SYSTEM token child from non-SYSTEM parent
// IntegrityLevel: 16384=System, 8192=High, 4096=Medium, 1024=Low
| Branch2 := if(
    TargetProcessIntegrityLevel = "16384" and
    ParentProcessIntegrityLevel != "16384" and
    ParentProcessIntegrityLevel != "0" and
    IsSuspiciousChild = "1" and
    IsHighValueParent = "0",
    then="1", else="0"
  )

// Branch 3: explorer.exe parenting SYSTEM-integrity process
| Branch3 := if(
    ParentBaseFileNameLower = "explorer.exe" and
    TargetProcessIntegrityLevel = "16384",
    then="1", else="0"
  )

// Filter to only matching events
| Branch1 = "1" or Branch2 = "1" or Branch3 = "1"

// Build spoof branch label
| SpoofBranch := case {
    Branch1 = "1" and Branch2 = "1" => "HighPrivilege+IntegrityMismatch" ;
    Branch1 = "1" => "HighPrivilegeParentSpawn" ;
    Branch2 = "1" => "IntegrityMismatchElevation" ;
    Branch3 = "1" => "ExplorerSystemChild" ;
    * => "MultipleIndicators"
  }

| SpoofScore := format("%d", array:sum([Branch1, Branch2, Branch3]))

| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentImageFileName, ParentCommandLine,
     TargetProcessIntegrityLevel, ParentProcessIntegrityLevel,
     TargetProcessId, ParentProcessId, SpoofBranch, SpoofScore]
  )
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor ProcessRollup2 Events

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or other kernel-level security products may create processes with modified parent attributes during threat quarantine, process termination, or remediation actions, generating Branch 1 or Branch 2 matches
Windows Credential Guard and virtualization-based security (VBS) components operate at elevated integrity levels and may exhibit parent-child relationships that appear anomalous in Falcon telemetry when integrity levels are normalized differently by the sensor
Software installers and update mechanisms that request elevation via UAC and then spawn installer child processes may produce integrity level transitions in telemetry that resemble Branch 2 mismatches, particularly MSI-based installers running under SYSTEM via Windows Installer service

Last updated: 2026-04-18 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1134.003Make and Impersonate Token T1134.005SID-History Injection

Parent PID Spoofing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections