Detection: Windows Privilege Escalation User Process Spawn System Process

Updated Date: 2026-03-24 ID: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe Author: Steven Dick Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.

Search

 1
 2| tstats `security_content_summariesonly`
 3  count min(_time) as firstTime
 4
 5from datamodel=Endpoint.Processes where
 6
 7Processes.process_integrity_level IN (
 8    "low",
 9    "medium",
10    "high"
11)
12Processes.process_path IN (
13    "*\\\\*",
14    "*\\ProgramData\\*",
15    "*\\Temp\\*",
16    "*\\Users\\*"
17)
18NOT Processes.user IN (
19    "*SYSTEM",
20    "*LOCAL SERVICE",
21    "*NETWORK SERVICE",
22    "DWM-*",
23    "*$"
24)
25
26by Processes.action Processes.dest Processes.original_file_name
27   Processes.parent_process Processes.parent_process_exec
28   Processes.parent_process_guid Processes.parent_process_id
29   Processes.parent_process_name Processes.parent_process_path
30   Processes.process Processes.process_exec Processes.process_guid
31   Processes.process_hash Processes.process_id Processes.process_integrity_level
32   Processes.process_name Processes.process_path Processes.user
33   Processes.user_id Processes.vendor_product
34
35
36| `drop_dm_object_name(Processes)`
37
38| eval join_guid = process_guid
39
40
41| join max=0 dest join_guid [
42
43        
44| tstats `security_content_summariesonly`
45          count max(_time) as lastTime
46
47        from datamodel=Endpoint.Processes where
48
49        Processes.process_integrity_level="system"
50        Processes.parent_process_path IN (
51            "*\\\\*",
52            "*\\ProgramData\\*",
53            "*\\Temp\\*",
54            "*\\Users\\*"
55        )
56
57        by Processes.dest Processes.user Processes.parent_process_guid
58           Processes.process_name Processes.process Processes.process_path
59           Processes.process_integrity_level Processes.process_current_directory
60
61        
62| `drop_dm_object_name(Processes)`
63        
64| rename parent_process_guid as join_guid, process* as system_process*, user as system_user
65    ]
66
67| fields dest user parent_process parent_process_name parent_process_guid
68         process process_name process_guid process_integrity_level process_path
69         process_current_directory system_process_name system_process system_process_path
70         system_process_integrity_level system_process_current_directory system_user
71         firstTime lastTime count
72
73
74| `security_content_ctime(firstTime)`
75
76| `security_content_ctime(lastTime)`
77
78| `windows_privilege_escalation_user_process_spawn_system_process_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 1	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_privilege_escalation_user_process_spawn_system_process_filter	`search *`

windows_privilege_escalation_user_process_spawn_system_process_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion
T1134	Access Token Manipulation	Privilege Escalation

Exploitation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

Target environment must ingest sysmon data, specifically Event ID 15.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

The user $user$ launched the process $process_name$ which spawned a system level integrity process.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	50	process_name
user	user	50	process_name

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 11