Abused Debug Privilege by Arbitrary Parent Processes

 1title: Abused Debug Privilege by Arbitrary Parent Processes
 2id: d522eca2-2973-4391-a3e0-ef0374321dae
 3status: test
 4description: Detection of unusual child processes by different system processes
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
 7author: 'Semanur Guneysu @semanurtg, oscd.community'
 8date: 2020-10-28
 9modified: 2022-11-11
10tags:
11    - attack.privilege-escalation
12    - attack.t1548
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_parent:
18        ParentImage|endswith:
19            - '\winlogon.exe'
20            - '\services.exe'
21            - '\lsass.exe'
22            - '\csrss.exe'
23            - '\smss.exe'
24            - '\wininit.exe'
25            - '\spoolsv.exe'
26            - '\searchindexer.exe'
27        User|contains: # covers many language settings
28            - 'AUTHORI'
29            - 'AUTORI'
30    selection_img:
31        - Image|endswith:
32              - '\powershell.exe'
33              - '\pwsh.exe'
34              - '\cmd.exe'
35        - OriginalFileName:
36              - 'PowerShell.EXE'
37              - 'pwsh.dll'
38              - 'Cmd.Exe'
39    filter:
40        CommandLine|contains|all:
41            - ' route '
42            - ' ADD '
43    condition: all of selection_* and not filter
44fields:
45    - ParentImage
46    - Image
47    - User
48    - CommandLine
49falsepositives:
50    - Unknown
51level: high