
Summary
This detection rule is designed to identify instances where a shell program such as PowerShell or Command Prompt is executed with system privileges, particularly from an uncommon or suspicious parent location. The rule distinguishes between typical execution paths and those that might suggest an unauthorized privilege escalation attempt. When a Windows command shell (either 'cmd.exe' or 'powershell.exe') is initiated with elevated permissions (LogonId: '0x3e7'), it is analyzed against a predefined set of parent executable locations that would be considered normal. If the execution is triggered from a parent location that does not fall into these acceptable categories, an alert is generated. Additionally, there are optional filters that account for specific software installations known to be potentially abused. This includes checking for commands fired by well-known management and backup tools that may not align with expected usage patterns. Overall, this rule is critical for monitoring privilege escalation attempts in Windows environments, helping security teams to identify potentially malicious activity at an early stage.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2022-12-05