valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing

Browse Source
This commit is contained in:
yugoslavskiy 2019-06-03 15:37:41 +02:00
parent a0c9f1594e
commit 10db09c596
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/windows/sysmon/sysmon_kernel_and_3rd_party_drivers_exploits_token_stealing.yml Normal file
View File

@ -0,0 +1,25 @@
title: Windows Kernel and 3rd-party drivers exploits. Token stealing
description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.privilege_escalation
- attack.t1068
status: experimental
author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentIntegrityLevel: Medium
IntegrityLevel: System
User: "NT AUTHORITY\\SYSTEM"
condition: selection
falsepositives:
- Unknown
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l