Abused Debug Privilege by Arbitrary Parent Processes

 1title: Abused Debug Privilege by Arbitrary Parent Processes
 2id: d522eca2-2973-4391-a3e0-ef0374321dae
 3status: test
 4description: Detection of unusual child processes by different system processes
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
 7author: 'Semanur Guneysu @semanurtg, oscd.community'
 8date: 2020-10-28
 9modified: 2022-11-11
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1548
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_parent:
19        ParentImage|endswith:
20            - '\winlogon.exe'
21            - '\services.exe'
22            - '\lsass.exe'
23            - '\csrss.exe'
24            - '\smss.exe'
25            - '\wininit.exe'
26            - '\spoolsv.exe'
27            - '\searchindexer.exe'
28        User|contains: # covers many language settings
29            - 'AUTHORI'
30            - 'AUTORI'
31    selection_img:
32        - Image|endswith:
33              - '\powershell.exe'
34              - '\pwsh.exe'
35              - '\cmd.exe'
36        - OriginalFileName:
37              - 'PowerShell.EXE'
38              - 'pwsh.dll'
39              - 'Cmd.Exe'
40    filter:
41        CommandLine|contains|all:
42            - ' route '
43            - ' ADD '
44    condition: all of selection_* and not filter
45fields:
46    - ParentImage
47    - Image
48    - User
49    - CommandLine
50falsepositives:
51    - Unknown
52level: high