Windows Kernel and 3rd-Party Drivers Exploits Token Stealing

Apr 21, 2023 · attack.privilege_escalation attack.t1068 ·

Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level

Sigma rule (View on GitHub)

 1title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
 2id: 8065b1b4-1778-4427-877f-6bf948b26d38
 3description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
 4references:
 5    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 6tags:
 7    - attack.privilege_escalation
 8    - attack.t1068
 9status: unsupported
10author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
11date: 2019/06/03
12logsource:
13    category: process_creation
14    product: windows
15    definition: Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
16detection:
17    selection:
18        ParentIntegrityLevel: Medium
19        IntegrityLevel: System
20        User: "NT AUTHORITY\\SYSTEM"
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

Hunting for Privilege Escalation in Windows

Hunting for Privilege Escalation in Windows - Download as a PDF or view online for free

Read More

Windows Kernel and 3rd-Party Drivers Exploits Token Stealing

Sigma rule (View on GitHub)

References

Hunting for Privilege Escalation in Windows

Related rules