{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/projector.is-inc./feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","token-theft","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","philandro Software GmbH","Freedom Scientific Inc.","TeamViewer Germany GmbH","Projector.is, Inc.","TeamViewer GmbH","Cisco","Dell","Sophos","Brother Industries, Ltd.","MILVUS INOVACOES EM SOFTWARE LTDA","Chocolatey Software, Inc"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary. The technique, often referred to as token theft, allows adversaries to escalate privileges and bypass access controls by creating a new process with a different token. The rule focuses on detecting instances where a process is initiated with the SYSTEM user ID (S-1-5-18) and its effective parent process is a privileged Microsoft native binary located in a standard Windows directory. This activity is indicative of an attempt to hijack a legitimate system process\u0026rsquo;s token for malicious purposes. This can lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged Windows process, such as a service running as SYSTEM, as a target for token theft.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eCreateProcessWithTokenW\u003c/code\u003e API (or similar) to create a new process.\u003c/li\u003e\n\u003cli\u003eThe new process is configured to run under the security context (token) of the targeted privileged process.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes malicious code within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThis malicious code now operates with SYSTEM-level privileges, bypassing normal access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use these elevated privileges to install malware, modify system settings, or steal sensitive data.\u003c/li\u003e\n\u003cli\u003eFinally, the adversary achieves persistence and control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform any action on the system with the highest privileges. This includes installing malware, accessing sensitive data, creating new user accounts with administrative rights, and disabling security controls. The impact is a complete compromise of the affected system. The Elastic rule has a risk score of 73 and is classified as high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend to collect the necessary process creation events, as specified in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect processes created with elevated tokens. Tune the rule based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process tree, focusing on the \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.parent.executable\u003c/code\u003e, and \u003ccode\u003eprocess.Ext.effective_parent.executable\u003c/code\u003e fields as outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and validate any exceptions before implementing them, ensuring that the exact child/parent/effective-parent pattern is stable for the same host or managed host group, and avoid broad exceptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:11:31Z","date_published":"2026-05-12T19:11:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/","summary":"This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.","title":"Process Created with an Elevated Token via Token Theft","url":"https://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Endpoint","Chrome Remote Desktop","GoToAssist Remote Support Customer"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","ppid-spoofing"],"_cs_type":"advisory","_cs_vendors":["Elastic","philandro Software GmbH","Freedom Scientific Inc.","TeamViewer Germany GmbH","Projector.is, Inc.","TeamViewer GmbH","Cisco WebEx LLC","Dell Inc","HEAT Software","VisualCron","BinaryDefense","Wacom","LogMeIn","EMC Captiva","Google","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection identifies a technique known as parent process ID (PPID) spoofing used to elevate privileges on Windows systems. PPID spoofing involves creating a new process with a spoofed parent process ID to evade process monitoring defenses or gain higher privileges. This is achieved by manipulating the \u003ccode\u003eUpdateProcThreadAttribute\u003c/code\u003e API. The detection specifically looks for processes running as SYSTEM (\u003ccode\u003euser.id : \u0026quot;S-1-5-18\u0026quot;\u003c/code\u003e) where the real parent PID (\u003ccode\u003eprocess.parent.Ext.real.pid\u003c/code\u003e) differs from the reported parent PID, which could indicate spoofing. The rule aims to identify privilege escalation attempts while excluding common false positives like Windows Error Reporting, update processes, and certain third-party software. This behavior matters for defenders because successful PPID spoofing can allow attackers to execute malicious code with elevated privileges, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through exploitation of a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious program or script designed to perform PPID spoofing.\u003c/li\u003e\n\u003cli\u003eThe malicious program uses the \u003ccode\u003eUpdateProcThreadAttribute\u003c/code\u003e API to set a custom parent process ID (PPID) for a new process.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new process with SYSTEM privileges, often through the \u003ccode\u003eseclogon\u003c/code\u003e service. The new process inherits the spoofed PPID.\u003c/li\u003e\n\u003cli\u003eThe system creates the new process with the specified (spoofed) parent PID, while the \u003ccode\u003eExt.real.pid\u003c/code\u003e reflects the true creator process.\u003c/li\u003e\n\u003cli\u003eThe spoofed process executes malicious commands, leveraging SYSTEM privileges. This could involve installing backdoors, modifying system configurations, or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, utilizing the compromised system as a launchpad.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or long-term persistence within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful PPID spoofing can grant attackers SYSTEM-level privileges, allowing them to perform virtually any action on the compromised system. This can lead to data theft, system corruption, or the installation of persistent backdoors. A single compromised system can serve as a beachhead for further attacks within the network. The potential damage includes significant financial losses, reputational damage, and disruption of business operations. The rule is designed to detect this activity before significant damage occurs by identifying the initial elevation of privileges via PPID spoofing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect potential PPID spoofing attempts, focusing on the processes running as SYSTEM with mismatched parent PIDs (\u003ccode\u003eprocess.parent.Ext.real.pid\u003c/code\u003e vs \u003ccode\u003eprocess.parent.pid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with full command-line auditing to capture the necessary data for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules by examining the parent and child processes, as well as the user context and command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or untrusted executables, mitigating the risk of malicious code execution via PPID spoofing.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of systems with elevated privileges to minimize the potential impact of successful privilege escalation attacks.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rules based on your environment to reduce false positives by excluding known-benign processes and applications.\u003c/li\u003e\n\u003cli\u003eConsult the references for more context on PPID spoofing and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:10:58Z","date_published":"2026-05-12T19:10:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-privilege-elevation-via-ppid-spoofing/","summary":"This rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.","title":"Privilege Elevation via Parent Process PID Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-05-privilege-elevation-via-ppid-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed — Projector.is, Inc.","version":"https://jsonfeed.org/version/1.1"}