Raccine icon indicating copy to clipboard operation
Raccine copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

Consider Parent PID spoofing

Open JohnLaTwC opened this issue 4 years ago • 5 comments

https://github.com/Neo23x0/Raccine/blob/b8ea99ad4b4e393b3cab2639b33755a26d3a8868/raccine.cpp#L223

You may want to check out this article on parent pid spoofing. https://pentestlab.blog/2020/02/24/parent-pid-spoofing/

JohnLaTwC avatar Oct 05 '20 14:10 JohnLaTwC

is there any reasonable user land way to detect @JohnLaTwC ?

olliencc avatar Oct 11 '20 05:10 olliencc

the only the way I can see to detect PPID spoofing is via ETW..

olliencc avatar Oct 15 '20 17:10 olliencc

Afaik, UAC will also spoof your parent process by using svchost service name.

Omodaka9375 avatar Oct 15 '20 18:10 Omodaka9375

reference to what @olliencc and @Omodaka9375 said about parent pid spoofing: https://blog.f-secure.com/detecting-parent-pid-spoofing/

N3mes1s avatar Oct 26 '20 16:10 N3mes1s

Tüm işlemleri iptal etmek istiyorum

Gulhanburcu avatar Aug 17 '22 16:08 Gulhanburcu