This rule detects the execution of parent process ID (PPID) spoofing tools, specifically targeting the use of the SelectMyParent tool developed by Didier Stevens. PPID spoofing is commonly utilized in evading detection mechanisms by allowing malicious processes to masquerade under the ID of a benign or trusted parent process. The rule is focused on identifying suspicious process creation events in Windows by looking for specific indicators associated with the SelectMyParent tool, including certain command line arguments, image names, and original file names. Detection is achieved through the analysis of process creation logs wherein any occurrence of the specified criteria would trigger an alert. The implications of successful detections could involve the investigation of potential evasion attempts by attackers aiming to hide their process activities within the operating system. The rule is positioned with a high severity level, indicating the need for immediate attention in the context of security operations.