Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
Sigma rule (View on GitHub)
1title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
2id: 8065b1b4-1778-4427-877f-6bf948b26d38
3description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
4references:
5 - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
6tags:
7 - attack.privilege_escalation
8 - attack.t1068
9status: unsupported
10author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
11date: 2019/06/03
12logsource:
13 category: process_creation
14 product: windows
15 definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
16detection:
17 selection:
18 ParentIntegrityLevel: Medium
19 IntegrityLevel: System
20 User: "NT AUTHORITY\\SYSTEM"
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Hunting for Privilege Escalation in Windows Environment - Download as a PDF or view online for free
Read More
Related rules
- CVE-2021-3156 Exploitation Attempt
- CVE-2021-3156 Exploitation Attempt Bruteforcing
- OMIGOD SCX RunAsProvider ExecuteScript
- Detection of Possible Rotten Potato
- Disabled Users Failing To Authenticate From Source Using Kerberos