Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Sigma rule (View on GitHub)

 1title: Suspicious Child Process Created as System
 2id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
 3status: test
 4description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
 8    - https://github.com/antonioCoco/RogueWinRM
 9    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897
10author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
11date: 2019-10-26
12modified: 2024-12-01
13tags:
14    - attack.privilege-escalation
15    - attack.t1134.002
16logsource:
17    category: process_creation
18    product: windows
19    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
20detection:
21    selection:
22        ParentUser|contains:
23            - 'AUTHORI'
24            - 'AUTORI'
25        ParentUser|endswith:
26            - '\NETWORK SERVICE'
27            - '\LOCAL SERVICE'
28        User|contains: # covers many language settings
29            - 'AUTHORI'
30            - 'AUTORI'
31        User|endswith: # System
32            - '\SYSTEM'
33            - '\Système'
34            - '\СИСТЕМА'
35        IntegrityLevel:
36            - 'System'
37            - 'S-1-16-16384'
38    filter_rundll32:
39        Image|endswith: '\rundll32.exe'
40        CommandLine|contains: 'DavSetCookie'
41    condition: selection and not 1 of filter_*
42falsepositives:
43    - Unknown
44level: high

References

Related rules

to-top