Elevated System Shell Spawned From Uncommon Parent Location

calendar Oct 1, 2024 · attack.privilege-escalation attack.defense-evasion attack.execution attack.t1059  ·
Share on: linkedin copy

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Sigma rule (View on GitHub)

 1title: Elevated System Shell Spawned From Uncommon Parent Location
 2id: 178e615d-e666-498b-9630-9ed363038101
 3related:
 4    - id: 61065c72-5d7d-44ef-bf41-6a36684b545f
 5      type: similar
 6status: test
 7description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
 8references:
 9    - https://github.com/Wh04m1001/SysmonEoP
10author: frack113, Tim Shelton (update fp)
11date: 2022-12-05
12modified: 2023-11-23
13tags:
14    - attack.privilege-escalation
15    - attack.defense-evasion
16    - attack.execution
17    - attack.t1059
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_shell:
23        - Image|endswith:
24              - '\powershell.exe'
25              - '\pwsh.exe'
26              - '\cmd.exe'
27        - OriginalFileName:
28              - 'PowerShell.EXE'
29              - 'pwsh.dll'
30              - 'Cmd.Exe'
31    selection_user:
32        User|contains: # covers many language settings
33            - 'AUTHORI'
34            - 'AUTORI'
35        LogonId: '0x3e7'
36    filter_main_generic:
37        # Example 1:
38        #   C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
39        # Example 2:
40        #   ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
41        #   CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
42        ParentImage|contains:
43            - ':\Program Files (x86)\'
44            - ':\Program Files\'
45            - ':\ProgramData\'
46            - ':\Windows\System32\'
47            - ':\Windows\SysWOW64\'
48            - ':\Windows\Temp\' # Installers
49            - ':\Windows\WinSxS\'
50    filter_optional_manageengine:
51        # Example:
52        #   ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
53        #   CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
54        ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
55        Image|endswith: '\cmd.exe'
56    filter_optional_asgard:
57        CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
58        CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
59    filter_optional_ibm_spectrumprotect:
60        ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
61        CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
62    filter_main_parent_null:
63        ParentImage: null
64    filter_main_parent_empty:
65        ParentImage: ''
66    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
67falsepositives:
68    - Unknown
69level: medium

References

Related rules

to-top