Parent PID spoofing TL;DR: PROC_THREAD_ATTRIBUTE_PARENT_PROCESS to make a launched child appear to come from someone else. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References TODO