
Summary
This detection rule identifies suspicious activity where a child process is spawned with SYSTEM privileges by parent processes running under LOCAL SERVICE or NETWORK SERVICE accounts. Such behavior can be indicative of privilege escalation attempts, whereby an attacker exploits these service accounts to elevate permissions and gain SYSTEM-level access. The rule utilizes Windows auditing capabilities, specifically leveraging Sysmon logs (version 13.30 or higher) to monitor process creation events. It filters for parent processes owned by the specified service accounts and checks if the created child process operates at SYSTEM integrity levels. Specific patterns, such as certain Usernames and command lines associated with rundll32.exe, are monitored to rule out false positives. This rule is part of a broader effort to detect and respond to potential threats in Windows environments. The relevant references provide additional context and scenarios for understanding privilege escalation techniques in a Windows context.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Application Log
Created: 2019-10-26