title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: experimental
description: Detection of unusual child processes by different system processes
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
date: 2020/10/07
tags:
    - attack.privilege_escalation
author: 'oscd.community, Semanur Guneysu @semanurtg'
logsource:
    product: windows
    service: sysmon
    category: process_creation
detection:
    selection:
        EventID: 1
        ParentImage:
        - '*\winlogon.exe'
        - '*\services.ex'
        - '*\lsass.exe'
        - '*\csrss.exe'
        - '*\smss.exe'
        - '*\wininit.exe'
        - '*\spoolsv.exe'
        - '*\searchindexer.exe'
        filter1:
           Image: 
            - '*\powershell.exe'
            - '*\cmd.exe'
        filter2:
            User: 'NT AUTHORITY\\SYSTEM'   
        filter3:
           CommandLine:
           - ' *route* '
           - ' *ADD* '
    condition: selection and filter1 and filter2 and filter3
fields:
    - ParentImage
    - Image
    - User
    - CommandLine
falsepositives:
    - unknown
level: high