Detection of Possible Rotten Potato

calendar Apr 21, 2023 · attack.privilege_escalation attack.t1134 attack.t1134.002  ·
Share on: linkedin copy

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges

Sigma rule (View on GitHub)

 1title: Detection of Possible Rotten Potato
 2id: 6c5808ee-85a2-4e56-8137-72e5876a5096
 3description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
 4references:
 5    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 6    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
 7tags:
 8    - attack.privilege_escalation
 9    - attack.t1134           # an old one
10    - attack.t1134.002
11status: unsupported
12author: Teymur Kheirkhabarov
13date: 2019/10/26
14modified: 2020/09/01
15logsource:
16    category: process_creation
17    product: windows
18    definition: Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
19detection:
20    selection:
21        ParentUser:
22            - 'NT AUTHORITY\NETWORK SERVICE'
23            - 'NT AUTHORITY\LOCAL SERVICE'
24        User: 'NT AUTHORITY\SYSTEM'
25    rundllexception:
26        Image|endswith: '\rundll32.exe'
27        CommandLine|contains: 'DavSetCookie'
28    condition: selection and not rundllexception
29falsepositives:
30    - Unknown
31level: high
32enrichment:
33    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
34    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l

References

Related rules

to-top