| ID | Name |
|---|---|
| ATAGS-T1079.001 | Create Process with Token |
| ATAGS-T1079.002 | Make and Impersonate Token |
| ATAGS-T1079.003 | Parent PID Spoofing |
| ATAGS-T1079.004 | SID-History Injection |
| ATAGS-T1079.005 | Token Impersonation/Theft |
Threat Actors may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exeor consent.exe) rather than the current user context.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.