Blog link:
- part-1: https://mp.weixin.qq.com/s/oboW9ToiTUNfiOExHFrXXA
- part-2: https://mp.weixin.qq.com/s/oFxkeR9gvHw26Z5-DijZ2w
- Create a process with a fake PPID and a fake command line.
- It a test version, only tested in Win10_x64.
- The purpose is to bypass Sysmon and parent process detection
- You are gonna need to change the PPID in the Main function, OR we could add a function(like a funciton call Find_explorer) to find a process's PID as a parent process. (Most of the time, we would choose explorer.exe).
I am gonna update the Find_explorer function and fix some bugs soon(DONE).- Importance! The Fake command line must be longer than the real one, but also there are some ideas to fix that(I am gonna talk about that in my blog), for now, you just need to remember The fake command line must be longer than the real one
- It only works with x64, cause the offset different from x86, also maybe I am gonna update that too.
- I updated the code, now it's gonna find "explorer" pid automaticlly, but also you could change explorer to other process name.
- I have restructed the code, make it easy for understanding.
- Feel free to make any issues and advises
-
Select a process pid as parent process pid.
-
Set the fake command line and the real command line.
-
Launch the assembly through a white list application.
Restructure PEB-PPIDspoofing_Csharp code.- DONE
- Find process's pid automaticlly - 20210804
- Restructure code - 20210821
- Fixed bugs: Line 175 in ProcessCreator.cs, NtWriteVirtualMemory with wrong args. - 20220105
- Update blog link for PEB-PPIDspoofing - 20230415
- https://medium.com/@r3n_hat/parent-pid-spoofing-b0b17317168e
- https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships
- https://www.pinvoke.net
- https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://www.ired.team/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb
- https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
- https://gist.github.com/xpn/1c51c2bfe19d33c169fe0431770f3020#file-argument_spoofing-cpp
- https://github.com/christophetd/spoofing-office-macro
- https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing