rules/windows/process_creation/sysmon_abusing_debug_privilege.yml

title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: experimental
description: Detection of unusual child processes by different system processes
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
date: 2020/10/28
tags:
    - attack.privilege_escalation
    - attack.t1548
author: 'Semanur Guneysu @semanurtg, oscd.community'
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        ParentImage|endswith:
        - '\winlogon.exe'
        - '\services.exe'
        - '\lsass.exe'
        - '\csrss.exe'
        - '\smss.exe'
        - '\wininit.exe'
        - '\spoolsv.exe'
        - '\searchindexer.exe'
    selection2:
           Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    selection3:
            User|startswith: 
                - 'NT AUTHORITY\SYSTEM'
                - 'AUTORITE NT\Sys' # French language settings
    filter:
           CommandLine|contains|all:
           - ' route '
           - ' ADD '
    condition: selection1 and selection2 and selection3 and not filter
fields:
    - ParentImage
    - Image
    - User
    - CommandLine
falsepositives:
    - unknown
level: high
Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00			`title: Abused Debug Privilege by Arbitrary Parent Processes`
			`id: d522eca2-2973-4391-a3e0-ef0374321dae`
			`status: experimental`
			`description: Detection of unusual child processes by different system processes`
			`references:`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:44:27 +03:00			`- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg`
Update sysmon_abusing_debug_privilege.yml 2020-10-28 20:11:29 +03:00			`date: 2020/10/28`
Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00			`tags:`
			`- attack.privilege_escalation`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`- attack.t1548`
change syntax a bit to re-run the test 2020-10-31 23:57:13 +01:00			`author: 'Semanur Guneysu @semanurtg, oscd.community'`
Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00			`logsource:`
			`product: windows`
Added category field 2020-10-07 17:25:32 +03:00			`category: process_creation`
Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00			`detection:`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`selection1:`
Update sysmon_abusing_debug_privilege.yml 2020-10-10 13:19:02 +03:00			`ParentImage\|endswith:`
			`- '\winlogon.exe'`
			`- '\services.exe'`
			`- '\lsass.exe'`
			`- '\csrss.exe'`
			`- '\smss.exe'`
			`- '\wininit.exe'`
			`- '\spoolsv.exe'`
			`- '\searchindexer.exe'`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`selection2:`
Fixes and improvements 2021-04-03 00:00:43 +02:00			`Image\|endswith:`
Update sysmon_abusing_debug_privilege.yml 2020-10-10 13:19:02 +03:00			`- '\powershell.exe'`
			`- '\cmd.exe'`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`selection3:`
Update sysmon_abusing_debug_privilege.yml 2021-08-26 12:46:15 +00:00			`User\|startswith:`
			`- 'NT AUTHORITY\SYSTEM'`
			`- 'AUTORITE NT\Sys' # French language settings`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`filter:`
			`CommandLine\|contains\|all:`
change a syntax a bit to re-run the tests 2020-11-04 22:30:27 +01:00			`- ' route '`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 17:45:13 +03:00			`- ' ADD '`
Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:01:46 +03:00			`condition: selection1 and selection2 and selection3 and not filter`
Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00			`fields:`
			`- ParentImage`
			`- Image`
			`- User`
			`- CommandLine`
			`falsepositives:`
			`- unknown`
			`level: high`