title: Parent PID Spoofing (T1134.004)
id: df00tech-t1134-004
status: experimental
description: "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. By calling CreateProcess with a PROC_THREAD_ATTRIBUTE_PARENT_PROCESS entry in the process attribute list, an attacker can assign any running process as the apparent parent of the newly spawned child. Security tools that rely on parent-child process lineage for detection see only the spoofed parent, masking the true origin. This technique is also exploited for privilege escalation: by opening a handle to a SYSTEM-level process such as lsass.exe and using it as the spoofed parent, the child process inherits the SYSTEM access token. Used in the wild by Cobalt Strike, KONNI, PipeMon, and DarkGate."
references:
  - https://attack.mitre.org/techniques/T1134/004/
  - https://df00tech.com/detections/T1134.004
author: df00tech
date: 2026/04/18
tags:
  - attack.t1134.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - UAC elevation mediated by consent.exe may briefly show svchost.exe as a parent during token reassignment in certain Windows versions before the handoff completes
  - Enterprise EDR or AV agents that use indirect process spawning for self-protection modules may appear with unexpected parent process assignments in telemetry
  - Windows Remote Management (WinRM) and PowerShell remoting sessions may produce unusual parent-child relationships when executing cmdlets via the wsmprovhost.exe service host
  - SCCM/ConfigMgr client agent (CcmExec.exe) spawning PowerShell or cmd.exe for software deployment tasks may produce apparent process tree anomalies from service context
level: high