Potential Privilege Escalation To LOCAL SYSTEM

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1587.001` Develop Capabilities: Malware

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
CommandLine|contains: ' -i -s cmd'
CommandLine|contains: ' -i -s powershell'
CommandLine|contains: ' -i -s pwsh'
CommandLine|contains: ' -s -i cmd'
CommandLine|contains: ' -s -i powershell'
CommandLine|contains: ' -s -i pwsh'
CommandLine|contains: ' -s cmd'
CommandLine|contains: ' -s powershell'
CommandLine|contains: ' -s pwsh'

Stage 2: `not 1 of filter_main_exclude_coverage`

or:
CommandLine|contains: PsExec
CommandLine|contains: accepteula
CommandLine|contains: paexec

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-i -s cmd` corpus 2 (sigma 2) `-i -s powershell` corpus 2 (sigma 2) `-i -s pwsh` corpus 2 (sigma 2) `-s -i cmd` corpus 2 (sigma 2) `-s -i powershell` corpus 2 (sigma 2) `-s -i pwsh` corpus 2 (sigma 2) `-s cmd` corpus 2 (sigma 2) `-s powershell` corpus 2 (sigma 2) `-s pwsh` corpus 2 (sigma 2) `PsExec` `accepteula` corpus 3 (sigma 3) `paexec` corpus 2 (sigma 2)