HackTool - PPID Spoofing SelectMyParent Tool Execution

 1title: HackTool - PPID Spoofing SelectMyParent Tool Execution
 2id: 52ff7941-8211-46f9-84f8-9903efb7077d
 3status: test
 4description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
 5references:
 6    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
 7    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
 8    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
 9    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
10author: Florian Roth (Nextron Systems)
11date: 2022-07-23
12modified: 2023-03-07
13tags:
14    - attack.defense-evasion
15    - attack.t1134.004
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Image|endswith: '\SelectMyParent.exe'
22        - CommandLine|contains:
23              - 'PPID-spoof'
24              - 'ppid_spoof'
25              - 'spoof-ppid'
26              - 'spoof_ppid'
27              - 'ppidspoof'
28              - 'spoofppid'
29              - 'spoofedppid'
30              - ' -spawnto '
31        - OriginalFileName|contains:
32              - 'PPID-spoof'
33              - 'ppid_spoof'
34              - 'spoof-ppid'
35              - 'spoof_ppid'
36              - 'ppidspoof'
37              - 'spoofppid'
38              - 'spoofedppid'
39        - Description: 'SelectMyParent'
40        - Imphash:
41              - '04d974875bd225f00902b4cad9af3fbc'
42              - 'a782af154c9e743ddf3f3eb2b8f3d16e'
43              - '89059503d7fbf470e68f7e63313da3ad'
44              - 'ca28337632625c8281ab8a130b3d6bad'
45        - Hashes|contains:
46              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
47              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
48              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
49              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
50    condition: selection
51falsepositives:
52    - Unlikely
53level: high

References

• Parent PID Spoofing

  

  Monitoring the relationships between parent and child processes is very common technique for threat hunting teams to detect malicious activities. For example if PowerShell is the child process and …

  
  Read More

• How to Detect Parent PID (PPID) Spoofing Attacks

  

  Picus Labs explains types of Process ID, Parent PID Spoofing Attacks and detection of these attacks using Kernel-Process logs in Windows.

  
  Read More

• Parent Process ID (PPID) Spoofing | Red Team Notes

  

  PPID Spoofing PPID spoofing is a technique that allows attackers to start programs with arbitrary parent process set. This helps attackers make it look as if their programs were spawned by another ...

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity