← Back to Explore
sigmahighHunting
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
Detection Query
selection_parent:
ParentImage|endswith:
- \winlogon.exe
- \services.exe
- \lsass.exe
- \csrss.exe
- \smss.exe
- \wininit.exe
- \spoolsv.exe
- \searchindexer.exe
User|contains:
- AUTHORI
- AUTORI
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Cmd.Exe
filter:
CommandLine|contains|all:
- " route "
- " ADD "
condition: all of selection_* and not filter
Author
Semanur Guneysu @semanurtg, oscd.community
Created
2020-10-28
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.privilege-escalationattack.t1548
Raw Content
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020-10-28
modified: 2022-11-11
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\winlogon.exe'
- '\services.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\smss.exe'
- '\wininit.exe'
- '\spoolsv.exe'
- '\searchindexer.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high