EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

MITRE ATT&CK

T1134.004
privilege-escalationdefense-evasion

Detection Query

selection:
  - Image|endswith: \SelectMyParent.exe
  - CommandLine|contains:
      - PPID-spoof
      - ppid_spoof
      - spoof-ppid
      - spoof_ppid
      - ppidspoof
      - spoofppid
      - spoofedppid
      - " -spawnto "
  - OriginalFileName|contains:
      - PPID-spoof
      - ppid_spoof
      - spoof-ppid
      - spoof_ppid
      - ppidspoof
      - spoofppid
      - spoofedppid
  - Description: SelectMyParent
  - Hashes|contains:
      - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC
      - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E
      - IMPHASH=89059503D7FBF470E68F7E63313DA3AD
      - IMPHASH=CA28337632625C8281AB8A130B3D6BAD
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-07-23

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.defense-evasionattack.t1134.004
Raw Content
title: HackTool - PPID Spoofing SelectMyParent Tool Execution
id: 52ff7941-8211-46f9-84f8-9903efb7077d
status: test
description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
references:
    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
author: Florian Roth (Nextron Systems)
date: 2022-07-23
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.t1134.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SelectMyParent.exe'
        - CommandLine|contains:
              - 'PPID-spoof'
              - 'ppid_spoof'
              - 'spoof-ppid'
              - 'spoof_ppid'
              - 'ppidspoof'
              - 'spoofppid'
              - 'spoofedppid'
              - ' -spawnto '
        - OriginalFileName|contains:
              - 'PPID-spoof'
              - 'ppid_spoof'
              - 'spoof-ppid'
              - 'spoof_ppid'
              - 'ppidspoof'
              - 'spoofppid'
              - 'spoofedppid'
        - Description: 'SelectMyParent'
        - Hashes|contains:
              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
    condition: selection
falsepositives:
    - Unlikely
level: high