Detect Parent PID Spoofing in Sumo Logic CSE
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. By calling CreateProcess with a PROC_THREAD_ATTRIBUTE_PARENT_PROCESS entry in the process attribute list, an attacker can assign any running process as the apparent parent of the newly spawned child. Security tools that rely on parent-child process lineage for detection see only the spoofed parent, masking the true origin. This technique is also exploited for privilege escalation: by opening a handle to a SYSTEM-level process such as lsass.exe and using it as the spoofed parent, the child process inherits the SYSTEM access token. Used in the wild by Cobalt Strike, KONNI, PipeMon, and DarkGate.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.004 Parent PID Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1134/004/
Sumo Detection Query
// T1134.004 — Parent PID Spoofing — Sumo Logic CSE / Log Analytics
_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1" or metadata_eventType = "PROCESS_CREATION"
// Normalize image paths to just filename
| parse regex field=ParentImage "(?:.*\\\\)?(?<ParentImageShort>[^\\\\]+$)" nodrop
| parse regex field=Image "(?:.*\\\\)?(?<ImageShort>[^\\\\]+$)" nodrop
| toLowerCase(ParentImageShort) as ParentImageShort
| toLowerCase(ImageShort) as ImageShort
// Branch evaluation
| if(ParentImageShort in ("lsass.exe","wininit.exe","smss.exe","csrss.exe","winlogon.exe","services.exe"), 1, 0) as IsHighValueParent
| if(ImageShort in ("cmd.exe","powershell.exe","pwsh.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","msbuild.exe","certutil.exe","bitsadmin.exe","cmstp.exe","installutil.exe"), 1, 0) as IsSuspiciousChild
| if(IsHighValueParent = 1 and IsSuspiciousChild = 1, 1, 0) as Branch1_HighPrivSpawn
| if(
IntegrityLevel = "System"
and !matches(ParentImageShort, "/(lsass|wininit|smss|csrss|winlogon|services|system|ntoskrnl)\.exe/")
and IsSuspiciousChild = 1,
1, 0
) as Branch2_IntegrityMismatch
| if(
ParentImageShort = "explorer.exe" and IntegrityLevel = "System",
1, 0
) as Branch3_ExplorerSystemChild
| where Branch1_HighPrivSpawn = 1 or Branch2_IntegrityMismatch = 1 or Branch3_ExplorerSystemChild = 1
| if(Branch1_HighPrivSpawn = 1 and Branch2_IntegrityMismatch = 1, "HighPrivilege+IntegrityMismatch",
if(Branch1_HighPrivSpawn = 1, "HighPrivilegeParentSpawn",
if(Branch2_IntegrityMismatch = 1, "IntegrityMismatchElevation",
if(Branch3_ExplorerSystemChild = 1, "ExplorerSystemChild", "MultipleIndicators")
)
)
) as SpoofBranch
| toInt(Branch1_HighPrivSpawn) + toInt(Branch2_IntegrityMismatch) + toInt(Branch3_ExplorerSystemChild) as SpoofScore
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IntegrityLevel, ProcessId, ProcessGuid, SpoofBranch, SpoofScore
| sort by _messageTime descSumo Logic detection for Parent PID Spoofing using Sysmon Event ID 1 (Process Create) or CSE normalized process creation metadata. Three-branch logic mirrors the KQL/SPL reference: Branch 1 flags impossible parent-child relationships involving protected system processes; Branch 2 detects integrity level mismatches indicating SYSTEM token inheritance through spoofed parent handles; Branch 3 catches the impossible scenario of explorer.exe parenting SYSTEM-integrity processes. SpoofScore provides a risk weight for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Privileged IT automation frameworks (Ansible, Puppet, Chef) that execute tasks under SYSTEM context via scheduled tasks or services may produce parent-child lineage that triggers Branch 2 integrity mismatch detections
- Windows Remote Management (WinRM) and PowerShell remoting sessions can produce process trees where the apparent parent is a non-SYSTEM process but the spawned child runs with SYSTEM integrity due to credential delegation
- Some AV/EDR products perform trusted process injection or process creation with custom parent attributes as part of their protective functionality, generating telemetry that resembles PPID spoofing
Other platforms for T1134.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PPID Spoofing via PowerShell P/Invoke — Explorer Parent
Expected signal: Sysmon Event ID 1: cmd.exe process creation with ParentImage=<path>\explorer.exe and ParentProcessId matching the selected explorer.exe PID. The actual spawning process (PowerShell) does NOT appear as ParentImage. Sysmon Event ID 10: may capture OpenProcess against explorer.exe from PowerShell with GrantedAccess=0x0080. Security Event ID 4688 (if audit enabled): CreatorProcessId=PowerShell's PID, ParentProcessId=explorer.exe's PID — the mismatch confirms spoofing.
- Test 2PPID Spoofing for Privilege Escalation — LSASS as Spoofed Parent
Expected signal: Sysmon Event ID 1: cmd.exe with ParentImage=lsass.exe, ParentProcessId=LSASS PID, IntegrityLevel=System. Sysmon Event ID 10: SourceImage=PowerShell accessing TargetImage=lsass.exe with GrantedAccess=0x0080. Security Event ID 4672: Special privilege logon for the SYSTEM session inherited by cmd.exe. Security Event ID 4688 (if audit enabled): CreatorProcessId=PowerShell PID vs ParentProcessId=LSASS PID — mismatch is the definitive forensic artifact.
- Test 3Cobalt Strike Spawn-To Simulation — Rundll32 Under Explorer
Expected signal: Sysmon Event ID 1: rundll32.exe creation with ParentImage=explorer.exe and ParentProcessId matching the selected explorer.exe PID. Sysmon Event ID 10: OpenProcess from PowerShell against explorer.exe with GrantedAccess=0x0080. The rundll32.exe -> explorer.exe parent relationship is the canonical Cobalt Strike PPID spoofing telemetry signature seen in real incident response engagements.
- Test 4PPID Spoofing Detection Validation — Sysmon ParentProcessId vs Security 4688 CreatorProcessId
Expected signal: Sysmon Event ID 1: cmd.exe with ParentImage=svchost.exe, ParentProcessId=<svchost PID>. Security Event ID 4688 (requires audit process creation + command line enabled): CreatorProcessId=<PowerShell PID>, ParentProcessId=<svchost PID> — the mismatch between Creator and Parent is the definitive PPID spoof indicator. The test outputs exact PID values needed for manual SIEM correlation to confirm the discrepancy is visible in your environment.
References (8)
- https://attack.mitre.org/techniques/T1134/004/
- https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
- https://www.countercept.com/blog/detecting-parent-pid-spoofing/
- https://blog.xpnsec.com/becoming-system/
- https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
- https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
- https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md
Unlock Pro Content
Get the full detection package for T1134.004 including response playbook, investigation guide, and atomic red team tests.