title: Abused Debug Privilege by Arbitrary Parent Processes
ruletype: Sigma
author: Semanur Guneysu @semanurtg, oscd.community
date: 2020/10/28
description: Detection of unusual child processes by different system processes
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    ParentImage:
    - '*\winlogon.exe'
    - '*\services.exe'
    - '*\lsass.exe'
    - '*\csrss.exe'
    - '*\smss.exe'
    - '*\wininit.exe'
    - '*\spoolsv.exe'
    - '*\searchindexer.exe'
  SELECTION_3:
    Image:
    - '*\powershell.exe'
    - '*\cmd.exe'
  SELECTION_4:
    User:
    - NT AUTHORITY\SYSTEM*
    - AUTORITE NT\Sys*
  SELECTION_5:
    CommandLine: '* route *'
  SELECTION_6:
    CommandLine: '* ADD *'
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
    (SELECTION_5 and SELECTION_6))
falsepositives:
- unknown
fields:
- ParentImage
- Image
- User
- CommandLine
id: d522eca2-2973-4391-a3e0-ef0374321dae
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/11/27
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
status: test
tags:
- attack.privilege_escalation
- attack.t1548