HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Sigma rule (View on GitHub)

 1title: HackTool - PPID Spoofing SelectMyParent Tool Execution
 2id: 52ff7941-8211-46f9-84f8-9903efb7077d
 3status: test
 4description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
 5references:
 6    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
 7    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
 8    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
 9    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
10author: Florian Roth (Nextron Systems)
11date: 2022-07-23
12modified: 2024-11-23
13tags:
14    - attack.defense-evasion
15    - attack.t1134.004
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Image|endswith: '\SelectMyParent.exe'
22        - CommandLine|contains:
23              - 'PPID-spoof'
24              - 'ppid_spoof'
25              - 'spoof-ppid'
26              - 'spoof_ppid'
27              - 'ppidspoof'
28              - 'spoofppid'
29              - 'spoofedppid'
30              - ' -spawnto '
31        - OriginalFileName|contains:
32              - 'PPID-spoof'
33              - 'ppid_spoof'
34              - 'spoof-ppid'
35              - 'spoof_ppid'
36              - 'ppidspoof'
37              - 'spoofppid'
38              - 'spoofedppid'
39        - Description: 'SelectMyParent'
40        - Hashes|contains:
41              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
42              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
43              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
44              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
45    condition: selection
46falsepositives:
47    - Unlikely
48level: high

References

Related rules

to-top