detection.wiki

Detection rules › Sigma

Suspicious Child Process Created as System

Severity
high
Author
Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
Source
upstream

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1134.002 Access Token Manipulation: Create Process with Token
Defense EvasionT1134.002 Access Token Manipulation: Create Process with Token

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

IntegrityLevel: [S-1-16-16384, System]
or:
ParentUser|endswith: '\LOCAL SERVICE'
ParentUser|endswith: '\NETWORK SERVICE'
or:
ParentUser|contains: AUTHORI
ParentUser|contains: AUTORI
or:
User|endswith: '\SYSTEM'
User|endswith: '\Système'
User|endswith: '\СИСТЕМА'
or:
User|contains: AUTHORI
User|contains: AUTORI

Stage 2: not 1 of filter_rundll32

CommandLine|contains: DavSetCookie
Image|endswith: '\rundll32.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • DavSetCookie
Imageends_with
  • \rundll32.exe corpus 76 (sigma 76)
IntegrityLeveleq
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
ParentUserends_with
  • \LOCAL SERVICE
  • \NETWORK SERVICE
ParentUsermatch
  • AUTHORI corpus 2 (sigma 2)
  • AUTORI corpus 2 (sigma 2)
Userends_with
  • \SYSTEM
  • \Système
  • \СИСТЕМА
Usermatch
  • AUTHORI corpus 16 (sigma 16)
  • AUTORI corpus 16 (sigma 16)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.