title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: experimental
description: Detection of unusual child processes by different system processes
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
date: 2020/10/28
tags:
    - attack.privilege_escalation
    - attack.t1548
author: 'Semanur Guneysu @semanurtg, oscd.community'
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        ParentImage|endswith:
        - '\winlogon.exe'
        - '\services.exe'
        - '\lsass.exe'
        - '\csrss.exe'
        - '\smss.exe'
        - '\wininit.exe'
        - '\spoolsv.exe'
        - '\searchindexer.exe'
    selection2:
           Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    selection3:
            User: 'NT AUTHORITY\SYSTEM'
    filter:
           CommandLine|contains|all:
           - ' route '
           - ' ADD '
    condition: selection1 and selection2 and selection3 and not filter
fields:
    - ParentImage
    - Image
    - User
    - CommandLine
falsepositives:
    - unknown
level: high