Windows Privilege Escalation System Process Without System Parent
Description
The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-28
- Author: Steven Dick
- ID: 5a5351cd-ba7e-499e-ad82-2ce160ffa637
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-")
| eval src_user = replace(ParentUser,"^[^\\\]+\\\\","")
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_privilege_escalation_system_process_without_system_parent_filter`
Macros
The SPL above uses the following Macros:
windows_privilege_escalation_system_process_without_system_parent_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- dest
- user
- ParentUser
- parent_process_name
- parent_process_guid
- IntegrityLevel
How To Implement
Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.
Known False Positives
Unknown
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
80.0 | 100 | 80 | The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1068/
- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
- https://redcanary.com/blog/getsystem-offsec/
- https://atomicredteam.io/privilege-escalation/T1134.001/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2