Exploitation for Privilege Escalation T1068

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Events covered

21 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 62 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (64 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID17eq 174688, 1, 6, 7045, 10
Image17ends_with 12, in 3, starts_with 3, contains 1, eq 1, is_null 1, regex_match 1*\\\\*, *\\programdata\\*, *\\temp\\*, \bitsadmin.exe, \cmd.exe
CommandLine12contains 10, regex_match 2, ends_with 1, in 1 -u#, /account, /impersonate, /name, /user:gentilguest
ParentImage9ends_with 5, in 2, eq 1, regex_match 1*\\\\*, *\\programdata\\*, *\\temp\\*, \\sharpsuccessor\.exe, \consent.exe
IntegrityLevel7eq 7, in 2System, High, Low, Medium
OriginalFileName6eq 4, in 1, ne 1*certpotato*, *coercedpotato*, *genericpotato*, cmd.exe, elevation_service.exe
TargetFilename6ends_with 5, contains 3, eq 1, starts_with 1, wildcard 1.sys, .rbs, /etc/nsswitch.conf, /usr/share/factory/etc/nsswitch.conf, :\\config.msi\\
event.type6eq 6start, creation, deletion
parent_process_name6eq 4, regex_match 2(?i):\x5cWindows\x5csystem32\x5cconsent\.exe, spoolsv.exe, brave.exe, browser.exe, chrome.exe
ImageLoaded4ends_with 3, starts_with 1\1.sys, \1fc7aeeff3ab19004d2e53eae8160ab1.sys, \2.sys, \4.sys, \80.sys
process_name4eq 3, ne 1cmd.exe, elevation_service.exe, powershell.exe, regsvr32.exe, sc.exe
Hashes3contains 3imphash=01aa65221a48929f0a34a27c4e3011b1, imphash=021fd02a8adad420116496b6f2759960, imphash=0262d4147f21d681f8519ab2af79283f, imphash=0265c50548889ffd5c2d3a2539885efe, imphash=059c6bd84285f4960e767f032b33f19b
EventData2contains 2-encodedcommand, activesyncalloweddeviceids, add, powershell.exe, powershell_ise.exe
EventType2eq 2changed-computer-account, renamed-user-account
OldTargetUserName2ends_with 2$

Top indicator values (5846 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
IntegrityLeveleq
System
731
EventIDeq
4688
4312
EventIDeq
1
3232
EventIDeq
6
25
EventIDeq
7045
220
event.typeeq
start
4241
Imageends_with
\cmd.exe
3134
Imageends_with
\powershell.exe
3186
Imageends_with
\pwsh.exe
3172
Imageends_with
\bitsadmin.exe
229
Imageends_with
\certutil.exe
244
Hashescontains
imphash=28dc68bb6d6bf4f6b2db8dd7588b2511
22
Hashescontains
imphash=45bfe170e0cd654bc1e2ae3fca3ac3f4
22
Imagein
*\\\\*
22
Imagein
*\\programdata\\*
24
Imagein
*\\temp\\*
25
Imagein
*\\users\\*
22
Imagestarts_with
c:\windows\system32\
224
Imagestarts_with
c:\windows\syswow64\
222
IntegrityLevelin
High
25
IntegrityLevelin
Low
23
IntegrityLevelin
Medium
23
OldTargetUserNameends_with
$
23
ParentImagein
*\\\\*
22
ParentImagein
*\\programdata\\*
22
ParentImagein
*\\temp\\*
23
ParentImagein
*\\users\\*
22
ServiceSidends_with
-502
25
Statuseq
0
25
TargetFilenameends_with
.sys
26

Exclusions (112 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
.spl
2
CommandLinecontains
add portopening
2
CommandLinecontains
route add
2
CommandLinecontains
rule name
2
CommandLinecontains
start
2
Imagestarts_with
c:\windows\system32\
2
Imagestarts_with
c:\windows\syswow64\
2
NewTargetUserNameends_with
$
2
SubjectUserSideq
S-1-5-18
2
process_nameeq
msiexec.exe
2
process_nameeq
spoolsv.exe
2
process_nameregex_match
(?i):\x5cwindows\x5csystem32\x5cwerfault\.exe
2
userin
*$
2
userin
*local service
2
userin
*network service
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 25 rules

Elastic 11 rules

Splunk 23 rules

Kusto 2 rules

YARA-L 1 rule