Merge pull request #1664 from frack113/parentofparent

Move to rules-unsupported as use special enrichment field

rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml

@@ -6,12 +6,14 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
 references:
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 tags:
     - attack.privilege_escalation
     - attack.t1548.002
 logsource:
     product: windows
     category: process_creation
+    definition : Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
 detection:
     parent_image:
         ParentImage|endswith:

rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml

@@ -12,6 +12,7 @@ date: 2019/06/03
 logsource:
     category: process_creation
     product: windows
+    definition : Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
 detection:
     selection:
         ParentIntegrityLevel: Medium

rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml

@@ -15,6 +15,7 @@ modified: 2020/09/01
 logsource:
     category: process_creation
     product: windows
+    definition : Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
 detection:
     selection:
         ParentUser: