Nasreddine Bencherchali
47 lines
1.8 KiB
YAML
47 lines
1.8 KiB
YAML
title: Suspicious Elevated System Shell
|
|
id: 178e615d-e666-498b-9630-9ed363038101
|
|
status: experimental
|
|
description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.
|
|
references:
|
|
- https://github.com/Wh04m1001/SysmonEoP
|
|
author: frack113, Tim Shelton (update fp)
|
|
date: 2022/12/05
|
|
modified: 2022/12/28
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.execution
|
|
- attack.t1059
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_shell:
|
|
- Image|endswith:
|
|
- '\powershell.exe'
|
|
- '\pwsh.exe'
|
|
- '\cmd.exe'
|
|
- OriginalFileName:
|
|
- 'PowerShell.EXE'
|
|
- 'pwsh.dll'
|
|
- 'Cmd.Exe'
|
|
selection_user:
|
|
User|contains: # covers many language settings
|
|
- 'AUTHORI'
|
|
- 'AUTORI'
|
|
LogonId: '0x3e7'
|
|
filter_compattelrunner:
|
|
ParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
|
|
ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun'
|
|
OriginalFileName: 'PowerShell.EXE'
|
|
CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host'
|
|
filter_erl:
|
|
# Example:
|
|
# C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
|
|
ParentImage|startswith: 'C:\Program Files\erl-'
|
|
ParentImage|endswith: '\bin\erl.exe'
|
|
condition: all of selection_* and not 1 of filter_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|