HackTool - PPID Spoofing SelectMyParent Tool Execution
Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
Sigma rule (View on GitHub)
1title: HackTool - PPID Spoofing SelectMyParent Tool Execution
2id: 52ff7941-8211-46f9-84f8-9903efb7077d
3status: test
4description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
5references:
6 - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
7 - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
8 - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
9 - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
10author: Florian Roth (Nextron Systems)
11date: 2022-07-23
12modified: 2024-11-23
13tags:
14 - attack.defense-evasion
15 - attack.t1134.004
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - Image|endswith: '\SelectMyParent.exe'
22 - CommandLine|contains:
23 - 'PPID-spoof'
24 - 'ppid_spoof'
25 - 'spoof-ppid'
26 - 'spoof_ppid'
27 - 'ppidspoof'
28 - 'spoofppid'
29 - 'spoofedppid'
30 - ' -spawnto '
31 - OriginalFileName|contains:
32 - 'PPID-spoof'
33 - 'ppid_spoof'
34 - 'spoof-ppid'
35 - 'spoof_ppid'
36 - 'ppidspoof'
37 - 'spoofppid'
38 - 'spoofedppid'
39 - Description: 'SelectMyParent'
40 - Hashes|contains:
41 - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
42 - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
43 - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
44 - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
45 condition: selection
46falsepositives:
47 - Unlikely
48level: high
References
Related rules
- HackTool - CoercedPotato Execution
- HackTool - GMER Rootkit Detector and Remover Execution
- HackTool - Impersonate Execution
- HackTool - LocalPotato Execution
- HackTool - SharpEvtMute DLL Load