EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

MITRE ATT&CK

T1134.002
defense-evasionprivilege-escalation

Detection Query

selection:
  ParentUser|contains:
    - AUTHORI
    - AUTORI
  ParentUser|endswith:
    - \NETWORK SERVICE
    - \LOCAL SERVICE
  User|contains:
    - AUTHORI
    - AUTORI
  User|endswith:
    - \SYSTEM
    - \Système
    - \СИСТЕМА
  IntegrityLevel:
    - System
    - S-1-16-16384
filter_rundll32:
  Image|endswith: \rundll32.exe
  CommandLine|contains: DavSetCookie
condition: selection and not 1 of filter_*

Author

Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)

Created

2019-10-26

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.privilege-escalationattack.t1134.002
Raw Content
title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
    - https://github.com/antonioCoco/RogueWinRM
    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1134.002
logsource:
    category: process_creation
    product: windows
    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
    selection:
        ParentUser|contains:
            - 'AUTHORI'
            - 'AUTORI'
        ParentUser|endswith:
            - '\NETWORK SERVICE'
            - '\LOCAL SERVICE'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        User|endswith: # System
            - '\SYSTEM'
            - '\Système'
            - '\СИСТЕМА'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'DavSetCookie'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high