Windows Privilege Escalation Suspicious Process Elevation

Try in Splunk Security Cloud

Description

The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon Event ID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2024-05-23
• Author: Steven Dick
• ID: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Privilege Escalation, Defense Evasion

T1134

Access Token Manipulation

Defense Evasion, Privilege Escalation

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* 
| join max=0 dest join_guid  [
| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename parent_process_guid as join_guid ] 
| where elevated_integrity_level > integrity_level OR user != elevated_user 
| fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count  
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
|  `windows_privilege_escalation_suspicious_process_elevation_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

windows_privilege_escalation_suspicious_process_elevation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Processes.dest
• Processes.user
• Processes.parent_process_guid
• Processes.parent_process
• Processes.parent_process_name
• Processes.process_name
• Processes.process
• Processes.process_path
• Processes.process_guid
• Processes.process_integrity_level
• Processes.process_current_directory

How To Implement

Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.

Known False Positives

False positives may be generated by administrators installing benign applications using run-as/elevation.

Associated Analytic Story

• Windows Privilege Escalation

RBA

Risk Score	Impact	Confidence	Message
40.0	100	40	The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1068/
• https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
• https://redcanary.com/blog/getsystem-offsec/
• https://atomicredteam.io/privilege-escalation/T1134.001/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2