Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
26 lines (26 sloc) 964 Bytes
title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
id: 8065b1b4-1778-4427-877f-6bf948b26d38
description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.privilege_escalation
- attack.t1068
status: experimental
author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
date: 2019/06/03
logsource:
category: process_creation
product: windows
detection:
selection:
ParentIntegrityLevel: Medium
IntegrityLevel: System
User: "NT AUTHORITY\\SYSTEM"
condition: selection
falsepositives:
- Unknown
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
You can’t perform that action at this time.