Detection: Windows Privilege Escalation Suspicious Process Elevation

Updated Date: 2026-03-24 ID: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc Author: Steven Dick Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.

Search

  1
  2| tstats `security_content_summariesonly`
  3  count min(_time) as firstTime
  4
  5from datamodel=Endpoint.Processes where
  6
  7Processes.process_integrity_level IN ("low","medium","high")
  8NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")
  9
 10by Processes.action Processes.dest Processes.original_file_name
 11   Processes.parent_process Processes.parent_process_exec
 12   Processes.parent_process_guid Processes.parent_process_id
 13   Processes.parent_process_name Processes.parent_process_path
 14   Processes.process Processes.process_exec Processes.process_guid
 15   Processes.process_hash Processes.process_id
 16   Processes.process_integrity_level Processes.process_name
 17   Processes.process_path Processes.user Processes.user_id
 18   Processes.vendor_product
 19
 20
 21| `drop_dm_object_name(Processes)`
 22
 23| eval join_guid = process_guid,
 24       integrity_level = CASE(
 25            match(process_integrity_level,"low"),1,
 26            match(process_integrity_level,"medium"),2,
 27            match(process_integrity_level,"high"),3,
 28            match(process_integrity_level,"system"),4,
 29            true(),0
 30        )
 31
 32| rename user as src_user,
 33         parent_process* as orig_parent_process*,
 34         process* as parent_process*
 35
 36
 37| join max=0 dest join_guid [
 38    
 39| tstats `security_content_summariesonly`
 40      count max(_time) as lastTime
 41
 42    from datamodel=Endpoint.Processes where
 43
 44    (
 45        Processes.process_integrity_level IN ("system")
 46        NOT Processes.user IN (
 47                "*SYSTEM",
 48                "*LOCAL SERVICE",
 49                "*NETWORK SERVICE",
 50                "DWM-*",
 51                "*$"
 52            )
 53    )
 54    OR
 55    (
 56        Processes.process_integrity_level IN (
 57            "high",
 58            "system"
 59        )
 60        (
 61            Processes.parent_process_path IN (
 62                "*\\\\*",
 63                "*\\Users\\*",
 64                "*\\Temp\\*",
 65                "*\\ProgramData\\*"
 66            )
 67            OR
 68            Processes.process_path IN (
 69                "*\\\\*",
 70                "*\\Users\\*",
 71                "*\\Temp\\*",
 72                "*\\ProgramData\\*"
 73            )
 74        )
 75    )
 76
 77    by Processes.dest Processes.user Processes.parent_process_guid
 78       Processes.process_name Processes.process
 79       Processes.process_path Processes.process_integrity_level
 80       Processes.process_current_directory
 81
 82    
 83| `drop_dm_object_name(Processes)`
 84
 85    
 86| eval elevated_integrity_level = CASE(
 87                match(process_integrity_level,"low"),1,
 88                match(process_integrity_level,"medium"),2,
 89                match(process_integrity_level,"high"),3,
 90                match(process_integrity_level,"system"),4,
 91                true(),0
 92            )
 93    
 94| rename parent_process_guid as join_guid
 95]
 96
 97
 98| where
 99    elevated_integrity_level > integrity_level
100    OR
101    user != elevated_user
102
103
104| fields dest user src_user parent_process_name parent_process
105         parent_process_path parent_process_guid
106         parent_process_integrity_level parent_process_current_directory
107         process_name process process_path process_guid
108         process_integrity_level process_current_directory
109         orig_parent_process_name orig_parent_process
110         orig_parent_process_guid firstTime lastTime count
111
112
113| `security_content_ctime(firstTime)`
114
115| `security_content_ctime(lastTime)`
116
117| `windows_privilege_escalation_suspicious_process_elevation_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 1	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_privilege_escalation_suspicious_process_elevation_filter	`search *`

windows_privilege_escalation_suspicious_process_elevation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion
T1134	Access Token Manipulation	Privilege Escalation

Exploitation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.

Known False Positives

False positives may be generated by administrators installing benign applications using run-as/elevation.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	50	process_name
src_user	user	50	process_name
user	user	50	process_name

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 10