← Back to Explore
splunk_escuTTP
Windows Privilege Escalation User Process Spawn System Process
The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.
Detection Query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
from datamodel=Endpoint.Processes where
Processes.process_integrity_level IN (
"low",
"medium",
"high"
)
Processes.process_path IN (
"*\\\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\*"
)
NOT Processes.user IN (
"*SYSTEM",
"*LOCAL SERVICE",
"*NETWORK SERVICE",
"DWM-*",
"*$"
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| eval join_guid = process_guid
| join max=0 dest join_guid [
| tstats `security_content_summariesonly`
count max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_integrity_level="system"
Processes.parent_process_path IN (
"*\\\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\*"
)
by Processes.dest Processes.user Processes.parent_process_guid
Processes.process_name Processes.process Processes.process_path
Processes.process_integrity_level Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid, process* as system_process*, user as system_user
]
| fields dest user parent_process parent_process_name parent_process_guid
process process_name process_guid process_integrity_level process_path
process_current_directory system_process_name system_process system_process_path
system_process_integrity_level system_process_current_directory system_user
firstTime lastTime count
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_privilege_escalation_user_process_spawn_system_process_filter`Author
Steven Dick
Data Sources
Sysmon EventID 1 AND Sysmon EventID 1
References
Raw Content
name: Windows Privilege Escalation User Process Spawn System Process
id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe
version: 13
creation_date: '2024-02-14'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: TTP
description: |
The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location.
This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service.
The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions.
Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.
data_source:
- Sysmon EventID 1 AND Sysmon EventID 1
search: |-
| tstats `security_content_summariesonly`
count min(_time) as firstTime
from datamodel=Endpoint.Processes where
Processes.process_integrity_level IN (
"low",
"medium",
"high"
)
Processes.process_path IN (
"*\\\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\*"
)
NOT Processes.user IN (
"*SYSTEM",
"*LOCAL SERVICE",
"*NETWORK SERVICE",
"DWM-*",
"*$"
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| eval join_guid = process_guid
| join max=0 dest join_guid [
| tstats `security_content_summariesonly`
count max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_integrity_level="system"
Processes.parent_process_path IN (
"*\\\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\*"
)
by Processes.dest Processes.user Processes.parent_process_guid
Processes.process_name Processes.process Processes.process_path
Processes.process_integrity_level Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid, process* as system_process*, user as system_user
]
| fields dest user parent_process parent_process_name parent_process_guid
process process_name process_guid process_integrity_level process_path
process_current_directory system_process_name system_process system_process_path
system_process_integrity_level system_process_current_directory system_user
firstTime lastTime count
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_privilege_escalation_user_process_spawn_system_process_filter`
how_to_implement: Target environment must ingest sysmon data, specifically Event ID 15.
known_false_positives: No false positives have been identified at this time.
references:
- https://attack.mitre.org/techniques/T1068/
- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
- https://redcanary.com/blog/getsystem-offsec/
- https://atomicredteam.io/privilege-escalation/T1134.001/
drilldown_searches:
- name: View the detection results for - "$dest$" and "$user$"
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: The user $user$ launched the process $process_name$ which spawned a system level integrity process.
entity:
field: user
type: user
score: 50
intermediate_findings:
entities:
- field: dest
type: system
score: 50
message: The user $user$ launched the process $process_name$ which spawned a system level integrity process.
threat_objects:
- field: process_name
type: process_name
analytic_story:
- Windows Privilege Escalation
- Compromised Windows Host
- BlackSuit Ransomware
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
- T1068
- T1548
- T1134
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
name: True Positive Test
test_type: unit