title: Abused Debug Privilege by Arbitrary Parent Processes
author: Semanur Guneysu @semanurtg, oscd.community
date: 2020/10/28
description: Detection of unusual child processes by different system processes
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        Image: '*\powershell.exe'
    SELECTION_11:
        Image: '*\cmd.exe'
    SELECTION_12:
        User: NT AUTHORITY\SYSTEM*
    SELECTION_13:
        User: AUTORITE NT\Sys*
    SELECTION_14:
        CommandLine: '* route *'
    SELECTION_15:
        CommandLine: '* ADD *'
    SELECTION_2:
        ParentImage: '*\winlogon.exe'
    SELECTION_3:
        ParentImage: '*\services.exe'
    SELECTION_4:
        ParentImage: '*\lsass.exe'
    SELECTION_5:
        ParentImage: '*\csrss.exe'
    SELECTION_6:
        ParentImage: '*\smss.exe'
    SELECTION_7:
        ParentImage: '*\wininit.exe'
    SELECTION_8:
        ParentImage: '*\spoolsv.exe'
    SELECTION_9:
        ParentImage: '*\searchindexer.exe'
    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
        or SELECTION_11) and (SELECTION_12 or SELECTION_13)) and  not (SELECTION_14
        and SELECTION_15))
falsepositives:
- unknown
fields:
- ParentImage
- Image
- User
- CommandLine
id: d522eca2-2973-4391-a3e0-ef0374321dae
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548
yml_filename: sysmon_abusing_debug_privilege.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation