
Summary
This detection rule targets the likelihood of privilege escalation in Windows environments. It focuses on identifying system processes that are spawned by non-system user accounts, which typically signifies an abnormal escalation of privileges that could lead to system compromise. Utilizing Sysmon EventID 1, the rule analyzes the process integrity level and parent user information. When a user-controlled process succeeds in executing a system-level process, it raises a significant security concern, prompting further investigation. The rule's logic filters for processes with a system-level integrity while ensuring the parent user is not a standard system account. The potential implications of such an event are serious, as they may indicate that an attacker has gained elevated privileges and can manipulate system functions with increased authority. To effectively implement this detection mechanism, the environment must be configured to capture relevant Sysmon data related to processes and their parent user information.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Process
- Windows Registry
- User Account
ATT&CK Techniques
- T1068
- T1134.001
- T1548
- T1134
Created: 2024-11-13