Suspicious Child Process Created as System

calendar Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1134.002  ·
Share on: linkedin copy

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Sigma rule (View on GitHub)

 1title: Suspicious Child Process Created as System
 2id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
 3status: test
 4description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
 8    - https://github.com/antonioCoco/RogueWinRM
 9    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897
10author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
11date: 2019-10-26
12modified: 2024-12-01
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1134.002
17logsource:
18    category: process_creation
19    product: windows
20    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
21detection:
22    selection:
23        ParentUser|contains:
24            - 'AUTHORI'
25            - 'AUTORI'
26        ParentUser|endswith:
27            - '\NETWORK SERVICE'
28            - '\LOCAL SERVICE'
29        User|contains: # covers many language settings
30            - 'AUTHORI'
31            - 'AUTORI'
32        User|endswith: # System
33            - '\SYSTEM'
34            - '\Système'
35            - '\СИСТЕМА'
36        IntegrityLevel:
37            - 'System'
38            - 'S-1-16-16384'
39    filter_rundll32:
40        Image|endswith: '\rundll32.exe'
41        CommandLine|contains: 'DavSetCookie'
42    condition: selection and not 1 of filter_*
43falsepositives:
44    - Unknown
45level: high

References

Related rules

to-top