/
proc_creation_win_susp_abusing_debug_privilege.yml
51 lines (51 loc) · 1.43 KB
/
proc_creation_win_susp_abusing_debug_privilege.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020/10/28
modified: 2022/11/11
tags:
- attack.privilege_escalation
- attack.t1548
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\winlogon.exe'
- '\services.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\smss.exe'
- '\wininit.exe'
- '\spoolsv.exe'
- '\searchindexer.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
condition: all of selection_* and not filter
fields:
- ParentImage
- Image
- User
- CommandLine
falsepositives:
- Unknown
level: high