detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml

---
name: Windows Privilege Escalation Suspicious Process Elevation
id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc
version: 1
date: '2023-11-30'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges.
data_source:
- Sysmon EventID 1
search: >-
  | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid,
  Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid  [| tstats
  `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest,
  Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where
  elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count  | `security_content_ctime(firstTime)`  |
  `security_content_ctime(lastTime)` |  `windows_privilege_escalation_suspicious_process_elevation_filter`
how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.
known_false_positives: False positives may be generated by administrators installing benign applications using run-as/elevation.
references:
  - https://attack.mitre.org/techniques/T1068/
  - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
  - https://redcanary.com/blog/getsystem-offsec/
  - https://atomicredteam.io/privilege-escalation/T1134.001/
tags:
  analytic_story:
    - Windows Privilege Escalation
  asset_type: Endpoint
  confidence: 40
  impact: 100
  message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].
  mitre_attack_id:
    - T1068
    - T1548
    - T1134
  observable:
    - name: dest
      role:
        - Victim
      type: Hostname
    - name: user
      role:
        - Victim
      type: User
    - name: src_user
      role:
        - Victim
      type: User
    - name: process_name
      role:
        - Attacker
      type: Other
  product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
  required_fields:
    - _time
    - Processes.dest
    - Processes.user
    - Processes.parent_process_guid
    - Processes.parent_process
    - Processes.parent_process_name
    - Processes.process_name
    - Processes.process
    - Processes.process_path
    - Processes.process_guid
    - Processes.process_integrity_level
    - Processes.process_current_directory
  risk_score: 40
  security_domain: endpoint
tests:
  - attack_data:
      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log
        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
        sourcetype: XmlWinEventLog
        update_timestamp: true
    name: True Positive Test