detection.wiki

ATT&CK coverage › Technique

Exploitation for Privilege Escalation T1068

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon6Driver loaded
Sysmon10ProcessAccess
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
Security-Auditing4742A computer account was changed.
Security-Auditing4781The name of an account was changed.
Security-Auditing5136A directory service object was modified.
Audit-CVE1Possible detection of CVE: PossibleDetectionOfCVE.
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 22 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (24 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image8ends_with 5, in 2, eq 1"*\\\\*", "*\\Users\\*", "*\\Temp\\*", \SysmonEOP.exe, \SharpSuccessor.exe
IntegrityLevel4eq 4, in 2"system", "medium", "high", S-1-16-16384, System
EventID4eq 410, 7045, 6, 1
Hashes3match 3IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC, IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5, MD5=5129d8fd53d6a4aba81657ab2aa5d243, SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c, SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0
ParentImage3in 2, ends_with 1"*\\\\*", "*\\Users\\*", "*\\Temp\\*", \spoolsv.exe
EventType2eq 2renamed-user-account, changed-computer-account
OriginalFileName2eq 2SharpSuccessor.exe, RUNDLL32.EXE
CommandLine2match 2, ends_with 1 /name, /path, SharpSuccessor, add portopening, route add
ImageLoaded2ends_with 2\fur.sys, \daxin_blank2.sys, \gftkyj64.sys, \ene.sys, \bsmi.sys
TargetFilename2ends_with 2, match 2.sys, \PROCEXP, \procmon
AttributeLDAPDisplayName1eq 1msPKIAccountCredentials
OperationType1eq 1%%14674
OldTargetUserName1ends_with 1$
user.id1starts_with 1S-1-12-1-, S-1-5-21-
DnsHostName1starts_with 1??

Top indicator values (5654 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
IntegrityLeveleq"system"32
HashesmatchIMPHASH=28dc68bb6d6bf4f6b2db8dd7588b251122
HashesmatchIMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f422
TargetFilenameends_with.sys26
Imagein"*\\Temp\\*"23
IntegrityLevelin"low"23
ParentImagein"*\\\\*"22
IntegrityLevelin"medium"23
ParentImagein"*\\Temp\\*"22
Imagein"*\\ProgramData\\*"23
Imagein"*\\Users\\*"22
ParentImagein"*\\ProgramData\\*"22
ParentImagein"*\\Users\\*"22
IntegrityLevelin"high"22
Imagein"*\\\\*"22
AttributeLDAPDisplayNameeqmsPKIAccountCredentials1
OperationTypeeq%%1467414
EventTypeeqrenamed-user-account1
OldTargetUserNameends_with$1
user.idstarts_withS-1-12-1-1

Common exclusions (14 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userin"*SYSTEM"2
userin"*LOCAL SERVICE"2
userin"DWM-*"2
userin"*$"2
userin"*NETWORK SERVICE"2
SubjectUserSideqS-1-5-181
NewTargetUserNameends_with$1
ImagePathregex_match"(?i)^(\w:\\\\Program Files\\\\|\w:\\\\Program Files...1
ParentUserin"*$"1
ParentUserin"*NETWORK SERVICE"1
ParentUserin"*DWM-*"1
ParentUserin"*SYSTEM"1
ParentUserin"*LOCAL SERVICE"1
ParentUserin"-"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 10 rules

Elastic 3 rules

Splunk 7 rules

Kusto Query Language 2 rules