Elevated System Shell Spawned From Uncommon Parent Location

 1title: Elevated System Shell Spawned From Uncommon Parent Location
 2id: 178e615d-e666-498b-9630-9ed363038101
 3related:
 4    - id: 61065c72-5d7d-44ef-bf41-6a36684b545f
 5      type: similar
 6status: test
 7description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
 8references:
 9    - https://github.com/Wh04m1001/SysmonEoP
10author: frack113, Tim Shelton (update fp)
11date: 2022-12-05
12modified: 2025-03-06
13tags:
14    - attack.privilege-escalation
15    - attack.defense-evasion
16    - attack.execution
17    - attack.t1059
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_shell:
23        - Image|endswith:
24              - '\powershell.exe'
25              - '\powershell_ise.exe'
26              - '\pwsh.exe'
27              - '\cmd.exe'
28        - OriginalFileName:
29              - 'PowerShell.EXE'
30              - 'powershell_ise.EXE'
31              - 'pwsh.dll'
32              - 'Cmd.Exe'
33    selection_user:
34        User|contains: # covers many language settings
35            - 'AUTHORI'
36            - 'AUTORI'
37        LogonId: '0x3e7'
38    filter_main_generic:
39        # Example 1:
40        #   C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
41        # Example 2:
42        #   ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
43        #   CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
44        ParentImage|contains:
45            - ':\Program Files (x86)\'
46            - ':\Program Files\'
47            - ':\ProgramData\'
48            - ':\Windows\System32\'
49            - ':\Windows\SysWOW64\'
50            - ':\Windows\Temp\' # Installers
51            - ':\Windows\WinSxS\'
52    filter_optional_manageengine:
53        # Example:
54        #   ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
55        #   CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
56        ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
57        Image|endswith: '\cmd.exe'
58    filter_optional_asgard:
59        CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
60        CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
61    filter_optional_ibm_spectrumprotect:
62        ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
63        CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
64    filter_main_parent_null:
65        ParentImage: null
66    filter_main_parent_empty:
67        ParentImage:
68            - ''
69            - '-'
70    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
71falsepositives:
72    - Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
73level: medium