Name:Windows Privilege Escalation System Process Without System Parent id:5a5351cd-ba7e-499e-ad82-2ce160ffa637 version:5 date:2024-11-13 author:Steven Dick status:production type:TTP Description:The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment. Data_source:
-Sysmon EventID 1
search:`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime by action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`
how_to_implement:Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. known_false_positives:Unknown References: -https://attack.mitre.org/techniques/T1068/ -https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor -https://redcanary.com/blog/getsystem-offsec/ -https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: name:'View the detection results for - "$dest$" and "$src_user$"' search:'%original_detection_search% | search dest = "$dest$" src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Privilege Escalation' - 'BlackSuit Ransomware' asset_type:Endpoint mitre_attack_id: - 'T1068' - 'T1548' - 'T1134' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
