Windows Privilege Escalation Suspicious Process Elevation

Try in Splunk Security Cloud

Description

The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-11-30
• Author: Steven Dick
• ID: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Privilege Escalation, Defense Evasion

T1134

Access Token Manipulation

Defense Evasion, Privilege Escalation

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* 
| join max=0 dest join_guid  [
| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename parent_process_guid as join_guid ] 
| where elevated_integrity_level > integrity_level OR user != elevated_user 
| fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count  
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
|  `windows_privilege_escalation_suspicious_process_elevation_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

windows_privilege_escalation_suspicious_process_elevation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Processes.dest
• Processes.user
• Processes.parent_process_guid
• Processes.parent_process
• Processes.parent_process_name
• Processes.process_name
• Processes.process
• Processes.process_path
• Processes.process_guid
• Processes.process_integrity_level
• Processes.process_current_directory

How To Implement

Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.

Known False Positives

False positives may be generated by administrators installing benign applications using run-as/elevation.

Associated Analytic Story

• Windows Privilege Escalation

RBA

Risk Score	Impact	Confidence	Message
40.0	100	40	The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1068/
• https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
• https://redcanary.com/blog/getsystem-offsec/
• https://atomicredteam.io/privilege-escalation/T1134.001/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1