Skip to content

PPID spoofing via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS not detected #1145

Open
Open
PPID spoofing via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS not detected#1145
Labels
false negativerule expected to match but doesnt
@akshat4703

Description

@akshat4703
akshat4703
opened on Mar 21, 2026

What should have matched?

A capability for spawning a process with a spoofed parent process (PPID spoofing).

What happened?

No relevant capability was detected.

Why this looks like a miss

The sample uses the classic PPID spoofing flow:

  • InitializeProcThreadAttributeList
  • UpdateProcThreadAttribute with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
  • CreateProcess* with extended startup attributes

This is a common defense-evasion behavior and should be a strong candidate for rule coverage.

Suggested detection direction

Conservative initial rule requiring co-occurrence of:

  1. attribute-list initialization APIs, and
  2. parent-process attribute update, and
  3. process creation API usage within the same function/scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    false negativerule expected to match but doesnt

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions