HackTool - PPID Spoofing SelectMyParent Tool Execution

 1title: HackTool - PPID Spoofing SelectMyParent Tool Execution
 2id: 52ff7941-8211-46f9-84f8-9903efb7077d
 3status: test
 4description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
 5references:
 6    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
 7    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
 8    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
 9    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
10author: Florian Roth (Nextron Systems)
11date: 2022-07-23
12modified: 2024-11-23
13tags:
14    - attack.privilege-escalation
15    - attack.defense-evasion
16    - attack.t1134.004
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\SelectMyParent.exe'
23        - CommandLine|contains:
24              - 'PPID-spoof'
25              - 'ppid_spoof'
26              - 'spoof-ppid'
27              - 'spoof_ppid'
28              - 'ppidspoof'
29              - 'spoofppid'
30              - 'spoofedppid'
31              - ' -spawnto '
32        - OriginalFileName|contains:
33              - 'PPID-spoof'
34              - 'ppid_spoof'
35              - 'spoof-ppid'
36              - 'spoof_ppid'
37              - 'ppidspoof'
38              - 'spoofppid'
39              - 'spoofedppid'
40        - Description: 'SelectMyParent'
41        - Hashes|contains:
42              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
43              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
44              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
45              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
46    condition: selection
47falsepositives:
48    - Unlikely
49level: high

References

• Parent PID Spoofing

  

  Monitoring the relationships between parent and child processes is very common technique for threat hunting teams to detect malicious activities. For example if PowerShell is the child process and …

  
  Read More

• How to Detect Parent PID (PPID) Spoofing Attacks

  

  Picus Labs explains types of Process ID, Parent PID Spoofing Attacks and detection of these attacks using Kernel-Process logs in Windows.

  
  Read More

• Parent Process ID (PPID) Spoofing | Red Team Notes

  

  PPID Spoofing PPID spoofing is a technique that allows attackers to start programs with arbitrary parent process set. This helps attackers make it look as if their programs were spawned by another ...

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• APT27 - Emissary Panda Activity
• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• AWS IAM S3Browser User or AccessKey Creation
• AWS Key Pair Import Activity