Try in Splunk Security Cloud

Description

The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-11-30
  • Author: Steven Dick
  • ID: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6
7
8
9
10
11
12



| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") AND Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval join_guid = process_guid 
| join max=0 dest join_guid  [
| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("system") AND Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] 
| fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `windows_privilege_escalation_user_process_spawn_system_process_filter`

Macros

The SPL above uses the following Macros:

:information_source: windows_privilege_escalation_user_process_spawn_system_process_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • dest
  • user
  • ParentUser
  • parent_process_name
  • parent_process_guid
  • IntegrityLevel

How To Implement

Target environment must ingest sysmon data, specifically Event ID 15.

Known False Positives

Unknown

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
80.0 100 80 The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$].

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1