T1134.004 CrowdStrike LogScale · LogScale

Detect Parent PID Spoofing in CrowdStrike LogScale

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. By calling CreateProcess with a PROC_THREAD_ATTRIBUTE_PARENT_PROCESS entry in the process attribute list, an attacker can assign any running process as the apparent parent of the newly spawned child. Security tools that rely on parent-child process lineage for detection see only the spoofed parent, masking the true origin. This technique is also exploited for privilege escalation: by opening a handle to a SYSTEM-level process such as lsass.exe and using it as the spoofed parent, the child process inherits the SYSTEM access token. Used in the wild by Cobalt Strike, KONNI, PipeMon, and DarkGate.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.004 Parent PID Spoofing
Canonical reference
https://attack.mitre.org/techniques/T1134/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1134.004 — Parent PID Spoofing — CrowdStrike LogScale (Falcon)
// Uses ProcessRollup2 events from Falcon sensor telemetry

#event_simpleName = ProcessRollup2

// Normalize process names from full paths
| ParentBaseFileName := replace("ParentImageFileName", regex=".*\\\\", with="")
| ChildBaseFileName := replace("ImageFileName", regex=".*\\\\", with="")
| ParentBaseFileNameLower := lower(ParentBaseFileName)
| ChildBaseFileNameLower := lower(ChildBaseFileName)

// Define indicator flags for each branch
| IsHighValueParent := if(
    ParentBaseFileNameLower = "lsass.exe" or
    ParentBaseFileNameLower = "wininit.exe" or
    ParentBaseFileNameLower = "smss.exe" or
    ParentBaseFileNameLower = "csrss.exe" or
    ParentBaseFileNameLower = "winlogon.exe" or
    ParentBaseFileNameLower = "services.exe",
    then="1", else="0"
  )

| IsSuspiciousChild := if(
    ChildBaseFileNameLower = "cmd.exe" or
    ChildBaseFileNameLower = "powershell.exe" or
    ChildBaseFileNameLower = "pwsh.exe" or
    ChildBaseFileNameLower = "rundll32.exe" or
    ChildBaseFileNameLower = "regsvr32.exe" or
    ChildBaseFileNameLower = "mshta.exe" or
    ChildBaseFileNameLower = "wscript.exe" or
    ChildBaseFileNameLower = "cscript.exe" or
    ChildBaseFileNameLower = "msbuild.exe" or
    ChildBaseFileNameLower = "certutil.exe" or
    ChildBaseFileNameLower = "bitsadmin.exe" or
    ChildBaseFileNameLower = "cmstp.exe" or
    ChildBaseFileNameLower = "installutil.exe",
    then="1", else="0"
  )

// Branch 1: High-privilege spoofed parent + suspicious child
| Branch1 := if(IsHighValueParent = "1" and IsSuspiciousChild = "1", then="1", else="0")

// Branch 2: SYSTEM token child from non-SYSTEM parent
// IntegrityLevel: 16384=System, 8192=High, 4096=Medium, 1024=Low
| Branch2 := if(
    TargetProcessIntegrityLevel = "16384" and
    ParentProcessIntegrityLevel != "16384" and
    ParentProcessIntegrityLevel != "0" and
    IsSuspiciousChild = "1" and
    IsHighValueParent = "0",
    then="1", else="0"
  )

// Branch 3: explorer.exe parenting SYSTEM-integrity process
| Branch3 := if(
    ParentBaseFileNameLower = "explorer.exe" and
    TargetProcessIntegrityLevel = "16384",
    then="1", else="0"
  )

// Filter to only matching events
| Branch1 = "1" or Branch2 = "1" or Branch3 = "1"

// Build spoof branch label
| SpoofBranch := case {
    Branch1 = "1" and Branch2 = "1" => "HighPrivilege+IntegrityMismatch" ;
    Branch1 = "1" => "HighPrivilegeParentSpawn" ;
    Branch2 = "1" => "IntegrityMismatchElevation" ;
    Branch3 = "1" => "ExplorerSystemChild" ;
    * => "MultipleIndicators"
  }

| SpoofScore := format("%d", array:sum([Branch1, Branch2, Branch3]))

| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentImageFileName, ParentCommandLine,
     TargetProcessIntegrityLevel, ParentProcessIntegrityLevel,
     TargetProcessId, ParentProcessId, SpoofBranch, SpoofScore]
  )
| sort(@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale detection for Parent PID Spoofing using Falcon ProcessRollup2 sensor events. Three-branch logic: Branch 1 detects impossible parent-child process relationships where protected Windows system processes appear to spawn LOLBins or shells (these processes have no legitimate reason to create interactive children); Branch 2 detects integrity level mismatches where a SYSTEM-token process (IntegrityLevel=16384) is parented by a lower-integrity process, the hallmark of PROC_THREAD_ATTRIBUTE_PARENT_PROCESS abuse for privilege escalation; Branch 3 catches explorer.exe appearing as parent of any SYSTEM-integrity process. Directly targets Cobalt Strike PPID spoofing capabilities and similar C2 implementations.

Data Sources

CrowdStrike Falcon Endpoint SensorProcessRollup2 Events

Required Tables

ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or other kernel-level security products may create processes with modified parent attributes during threat quarantine, process termination, or remediation actions, generating Branch 1 or Branch 2 matches
  • Windows Credential Guard and virtualization-based security (VBS) components operate at elevated integrity levels and may exhibit parent-child relationships that appear anomalous in Falcon telemetry when integrity levels are normalized differently by the sensor
  • Software installers and update mechanisms that request elevation via UAC and then spawn installer child processes may produce integrity level transitions in telemetry that resemble Branch 2 mismatches, particularly MSI-based installers running under SYSTEM via Windows Installer service
Download portable Sigma rule (.yml)

Other platforms for T1134.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PPID Spoofing via PowerShell P/Invoke — Explorer Parent

    Expected signal: Sysmon Event ID 1: cmd.exe process creation with ParentImage=<path>\explorer.exe and ParentProcessId matching the selected explorer.exe PID. The actual spawning process (PowerShell) does NOT appear as ParentImage. Sysmon Event ID 10: may capture OpenProcess against explorer.exe from PowerShell with GrantedAccess=0x0080. Security Event ID 4688 (if audit enabled): CreatorProcessId=PowerShell's PID, ParentProcessId=explorer.exe's PID — the mismatch confirms spoofing.

  2. Test 2PPID Spoofing for Privilege Escalation — LSASS as Spoofed Parent

    Expected signal: Sysmon Event ID 1: cmd.exe with ParentImage=lsass.exe, ParentProcessId=LSASS PID, IntegrityLevel=System. Sysmon Event ID 10: SourceImage=PowerShell accessing TargetImage=lsass.exe with GrantedAccess=0x0080. Security Event ID 4672: Special privilege logon for the SYSTEM session inherited by cmd.exe. Security Event ID 4688 (if audit enabled): CreatorProcessId=PowerShell PID vs ParentProcessId=LSASS PID — mismatch is the definitive forensic artifact.

  3. Test 3Cobalt Strike Spawn-To Simulation — Rundll32 Under Explorer

    Expected signal: Sysmon Event ID 1: rundll32.exe creation with ParentImage=explorer.exe and ParentProcessId matching the selected explorer.exe PID. Sysmon Event ID 10: OpenProcess from PowerShell against explorer.exe with GrantedAccess=0x0080. The rundll32.exe -> explorer.exe parent relationship is the canonical Cobalt Strike PPID spoofing telemetry signature seen in real incident response engagements.

  4. Test 4PPID Spoofing Detection Validation — Sysmon ParentProcessId vs Security 4688 CreatorProcessId

    Expected signal: Sysmon Event ID 1: cmd.exe with ParentImage=svchost.exe, ParentProcessId=<svchost PID>. Security Event ID 4688 (requires audit process creation + command line enabled): CreatorProcessId=<PowerShell PID>, ParentProcessId=<svchost PID> — the mismatch between Creator and Parent is the definitive PPID spoof indicator. The test outputs exact PID values needed for manual SIEM correlation to confirm the discrepancy is visible in your environment.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1134.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1134.005SID-History Injection

Related Techniques

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1055Process InjectionT1106Native APIT1059.001PowerShellT1218.011Rundll32T1566.001Spearphishing AttachmentT1562.001Disable or Modify ToolsT1078Valid Accounts

Same Tactic: Defense Evasion

Popular Detections