Name:Windows Privilege Escalation Suspicious Process Elevation id:6a80300a-9f8a-4f22-bd3e-09ca577cfdfc version:3 date:2024-09-30 author:Steven Dick status:production type:TTP Description:The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon EventID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`
how_to_implement:Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. known_false_positives:False positives may be generated by administrators installing benign applications using run-as/elevation. References: -https://attack.mitre.org/techniques/T1068/ -https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor -https://redcanary.com/blog/getsystem-offsec/ -https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$" src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Privilege Escalation' - 'BlackSuit Ransomware' asset_type:Endpoint confidence:40 impact:100 message:The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. mitre_attack_id: - 'T1068' - 'T1548' - 'T1134' observable: name:'dest' - role: - 'Victim' type:'Hostname' name:'user' - role: - 'Victim' type:'User' name:'src_user' - role: - 'Victim' type:'User' name:'process_name' - role: - 'Attacker' type:'Other' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Processes.dest' - 'Processes.user' - 'Processes.parent_process_guid' - 'Processes.parent_process' - 'Processes.parent_process_name' - 'Processes.process_name' - 'Processes.process' - 'Processes.process_path' - 'Processes.process_guid' - 'Processes.process_integrity_level' - 'Processes.process_current_directory' risk_score:40 security_domain:endpoint
