Change status for old rules

2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
@@ -1,46 +1,47 @@
 title: Abused Debug Privilege by Arbitrary Parent Processes
 id: d522eca2-2973-4391-a3e0-ef0374321dae
-status: experimental
+status: test
 description: Detection of unusual child processes by different system processes
-references:
-    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
-date: 2020/10/28
-tags:
-    - attack.privilege_escalation
-    - attack.t1548
 author: 'Semanur Guneysu @semanurtg, oscd.community'
+references:
+  - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+date: 2020/10/28
+modified: 2021/11/27
 logsource:
-    product: windows
-    category: process_creation
+  product: windows
+  category: process_creation
 detection:
-    selection1:
-        ParentImage|endswith:
-        - '\winlogon.exe'
-        - '\services.exe'
-        - '\lsass.exe'
-        - '\csrss.exe'
-        - '\smss.exe'
-        - '\wininit.exe'
-        - '\spoolsv.exe'
-        - '\searchindexer.exe'
-    selection2:
-           Image|endswith:
-            - '\powershell.exe'
-            - '\cmd.exe'
-    selection3:
-            User|startswith: 
-                - 'NT AUTHORITY\SYSTEM'
-                - 'AUTORITE NT\Sys' # French language settings
-    filter:
-           CommandLine|contains|all:
-           - ' route '
-           - ' ADD '
-    condition: selection1 and selection2 and selection3 and not filter
+  selection1:
+    ParentImage|endswith:
+      - '\winlogon.exe'
+      - '\services.exe'
+      - '\lsass.exe'
+      - '\csrss.exe'
+      - '\smss.exe'
+      - '\wininit.exe'
+      - '\spoolsv.exe'
+      - '\searchindexer.exe'
+  selection2:
+    Image|endswith:
+      - '\powershell.exe'
+      - '\cmd.exe'
+  selection3:
+    User|startswith:
+      - 'NT AUTHORITY\SYSTEM'
+      - 'AUTORITE NT\Sys'           # French language settings
+  filter:
+    CommandLine|contains|all:
+      - ' route '
+      - ' ADD '
+  condition: selection1 and selection2 and selection3 and not filter
 fields:
-    - ParentImage
-    - Image
-    - User
-    - CommandLine
+  - ParentImage
+  - Image
+  - User
+  - CommandLine
 falsepositives:
-    - unknown
+  - unknown
 level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1548