Name:Windows Privilege Escalation System Process Without System Parent id:5a5351cd-ba7e-499e-ad82-2ce160ffa637 version:3 date:2024-09-30 author:Steven Dick status:production type:TTP Description:The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`
how_to_implement:Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. known_false_positives:Unknown References: -https://attack.mitre.org/techniques/T1068/ -https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor -https://redcanary.com/blog/getsystem-offsec/ -https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: name:'View the detection results for - "$dest$" and "$src_user$"' search:'%original_detection_search% | search dest = "$dest$" src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Privilege Escalation' - 'BlackSuit Ransomware' asset_type:Endpoint confidence:80 impact:100 message:The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$. mitre_attack_id: - 'T1068' - 'T1548' - 'T1134' observable: name:'dest' - role: - 'Victim' type:'Hostname' name:'src_user' - role: - 'Victim' type:'User' name:'process_name' - role: - 'Attacker' type:'Other' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'dest' - 'user' - 'ParentUser' - 'parent_process_name' - 'parent_process_guid' - 'IntegrityLevel' risk_score:80 security_domain:endpoint
