Exploitation for Privilege Escalation T1068
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Events covered
21 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 62 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (64 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (5846 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (112 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 25 rules
- Audit CVE Event
- Computer account created with privileges
- Computer account renamed without a trailing $ (CVE-2021-42278/42287)
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- HackTool - SysmonEOP Execution
- HKTL - SharpSuccessor Privilege Escalation Tool Execution
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Kerberos ticket without a trailing $ (CVE-2021-42278/42287)
- Malicious Driver Load
- Malicious Driver Load By Name
- Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
- Potential CVE-2021-41379 Exploitation Attempt
- Potential CVE-2024-35250 Exploitation Activity
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential SystemNightmare Exploitation Attempt
- Privilege SeMachineAccountPrivilege abuse
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Process Monitor Driver Creation By Non-Sysinternals Binary
- Sudo Privilege Escalation CVE-2019-14287
- Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287)
- Suspicious Spool Service Child Process
- Suspicious Sysmon as Execution Parent
- Vulnerable Driver Load
- Vulnerable Driver Load By Name
Elastic 11 rules
- Deprecated - Suspicious PrintSpooler Service Executable File Creation
- Expired or Revoked Driver Loaded
- Modification of the msPKIAccountCredentials
- Persistence via Update Orchestrator Service Hijack
- Potential Escalation via Vulnerable MSI Repair
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privileged Escalation via SamAccountName Spoofing
- Remote Computer Account DnsHostName Update
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Unusual Print Spooler Child Process
Splunk 23 rules
- Child Processes of Spoolsv exe
- Consent.exe Suspicious Child Process (Sysmon)
- Consent.exe Suspicious Child Process (Windows Event Log)
- Driver as Command Parameter (Windows Event Log)
- Driver Loaded from Unusual Path - Windows (Sysmon)
- Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Sysmon)
- Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Windows Event Log)
- First Time Seen Child Process of Zoom
- Kernel Service Installed - Windows (Windows Event Log)
- Spoolsv Suspicious Process Access
- Suspicious .sys Created - Windows (Sysmon)
- Windows Driver Load Non-Standard Path
- Windows Drivers Loaded by Signature
- Windows MSI Rollback Script Deleted By Non-Msiexec Process
- Windows Potato Privilege Escalation Tool Execution
- Windows Privilege Escalation Attempt Via MSI Rollback
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Windows Remote Image Load
- Windows Service Create Kernel Mode Driver
- Windows System File on Disk
- ZeroLogon CVE-2020-1472 (Windows Event Log)