21 строка
1.3 KiB
YAML
21 строка
1.3 KiB
YAML
id: a78b826e-f2d1-42f9-b21b-20cf3bc2d391
|
|
name: Potential Local Exploitation for Privilege Escalation
|
|
description: |
|
|
'This query detects a process that runs under SYSTEM user's security context and was spawned by a process that was running under a lower security context indicating an exploitation for privilege escalation.
|
|
Ref: https://attack.mitre.org/techniques/T1068/'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
relevantTechniques:
|
|
- T1068
|
|
query: |
|
|
Event
|
|
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
|
|
| parse EventData with * 'IntegrityLevel">' IntegrityLevel "<" * 'ParentUser">' ParentUser "<" *
|
|
| where IntegrityLevel in ("System") and not(ParentUser in ("NT AUTHORITY\\NETWORK SERVICE","-","NT AUTHORITY\\SYSTEM","NT AUTHORITY\\LOCAL SERVICE"))
|
|
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'CommandLine">' CommandLine "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" *
|
|
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ParentUser, ParentImage, ParentCommandLine, ParentProcessGuid, IntegrityLevel, UserName, Image, CommandLine, ProcessGuid
|