Skip to content
/ Foster Public

Demo for spawning processes under a specified parent PID.

8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0d-gg/Foster

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

Foster

Foster

 
 

.gitignore

.gitignore

 
 

Foster.sln

Foster.sln

 
 

README.md

README.md

 
 

Repository files navigation

Foster

Demo for spawning processes under a specified parent PID in C#. Based heavily on the work by Didier Stevens: https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/

If you have permissions, you can start a new process as a child process of another process. This can be valuable for evading threat-hunting mechanisms that check for suspicious parent-child relationships such as cmd.exe being a child of an unknown process.

Command syntax

example commands

Spawning notepad.exe under explorer.

example commands

Spawning notepad.exe under lsass.exe (requires eleveated privs).

example commands

About

Demo for spawning processes under a specified parent PID.

Topics

post-exploitation windows-api parent-process

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages