Windows Privilege Escalation System Process Without System Parent

Try in Splunk Security Cloud

Description

The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-11-30
• Author: Steven Dick
• ID: 5a5351cd-ba7e-499e-ad82-2ce160ffa637

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Privilege Escalation, Defense Evasion

T1134

Access Token Manipulation

Defense Evasion, Privilege Escalation

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") 
| eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") 
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `windows_privilege_escalation_system_process_without_system_parent_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• sysmon

windows_privilege_escalation_system_process_without_system_parent_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• dest
• user
• ParentUser
• parent_process_name
• parent_process_guid
• IntegrityLevel

How To Implement

Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.

Known False Positives

Unknown

Associated Analytic Story

• Windows Privilege Escalation

RBA

Risk Score	Impact	Confidence	Message
80.0	100	80	The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1068/
• https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
• https://redcanary.com/blog/getsystem-offsec/
• https://atomicredteam.io/privilege-escalation/T1134.001/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1