GET /api/techniques/173/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 173,
    "key": "access-token-manipulation-parent-pid-spoofing",
    "unprotect_id": "U1234,T1134.004",
    "name": "Access Token Manipulation: Parent PID Spoofing",
    "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. \r\n\r\nOne way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.\r\n\r\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.\r\n\r\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.",
    "resources": "https://github.com/hlldz/APC-PPID\nhttps://attack.mitre.org/techniques/T1134/004/",
    "creation_date": "2021-07-27T13:05:01.292000Z",
    "tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nparent process identifier (PPID),\r\nevade process-monitoring defenses,\r\nCreateProcess API call,\r\nUser Account Control (UAC),\r\ninherited access token,",
    "modification_date": "2023-10-04T10:42:20.837000Z",
    "category": [
        4,
        10
    ],
    "rules": [
        88
    ],
    "attachments": [],
    "featured_api": [
        3,
        4,
        6,
        11,
        21,
        22,
        23,
        24,
        26,
        27,
        28,
        365
    ],
    "contributors": []
}