From 10db09c59632ce572be5555b2b98fc2954b461b8 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <yugoslavskiy@gmail.com>
Date: Mon, 3 Jun 2019 15:37:41 +0200
Subject: [PATCH] rule added: Windows Kernel and 3rd-party drivers exploits.
 Token stealing

---
 ..._party_drivers_exploits_token_stealing.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_kernel_and_3rd_party_drivers_exploits_token_stealing.yml

diff --git a/rules/windows/sysmon/sysmon_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules/windows/sysmon/sysmon_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
new file mode 100644
index 00000000..e1c6d47f
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
@@ -0,0 +1,25 @@
+title: Windows Kernel and 3rd-party drivers exploits. Token stealing
+description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+status: experimental
+author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentIntegrityLevel: Medium
+        IntegrityLevel: System
+        User: "NT AUTHORITY\\SYSTEM"
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+enrichment:
+    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
+    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l
\ No newline at end of file