2020-02-20 22:00:16 +00:00
|
|
|
title: Detection of Possible Rotten Potato
|
2019-12-19 22:56:36 +00:00
|
|
|
id: 6c5808ee-85a2-4e56-8137-72e5876a5096
|
2019-10-27 17:54:07 +00:00
|
|
|
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
|
|
|
|
|
references:
|
|
|
|
|
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
|
|
|
|
|
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
|
|
|
|
|
tags:
|
|
|
|
|
- attack.privilege_escalation
|
2020-09-02 00:34:34 +00:00
|
|
|
- attack.t1134 # an old one
|
|
|
|
|
- attack.t1134.002
|
2019-10-27 17:54:07 +00:00
|
|
|
status: experimental
|
|
|
|
|
author: Teymur Kheirkhabarov
|
|
|
|
|
date: 2019/10/26
|
2020-09-02 00:34:34 +00:00
|
|
|
modified: 2020/09/01
|
2019-10-27 17:54:07 +00:00
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
2021-07-26 20:26:03 +00:00
|
|
|
definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section
|
2019-10-27 17:54:07 +00:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
ParentUser:
|
|
|
|
|
- 'NT AUTHORITY\NETWORK SERVICE'
|
|
|
|
|
- 'NT AUTHORITY\LOCAL SERVICE'
|
|
|
|
|
User: 'NT AUTHORITY\SYSTEM'
|
|
|
|
|
rundllexception:
|
2019-11-10 22:10:18 +00:00
|
|
|
Image|endswith: '\rundll32.exe'
|
|
|
|
|
CommandLine|contains: 'DavSetCookie'
|
2019-10-27 17:54:07 +00:00
|
|
|
condition: selection and not rundllexception
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: high
|
|
|
|
|
enrichment:
|
|
|
|
|
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
|
|
|
|
|
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
|
