Detection rules › Splunk
Windows Privilege Escalation Suspicious Process Elevation
The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1068 Exploitation for Privilege Escalation, T1134 Access Token Manipulation, T1548 Abuse Elevation Control Mechanism |
| Defense Evasion | T1134 Access Token Manipulation, T1548 Abuse Elevation Control Mechanism |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Processes.user IN ("*$", "*LOCAL SERVICE", "*NETWORK SERVICE", "*SYSTEM", "DWM-*") Processes.process_integrity_level IN ("high", "low", "medium") BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: eval
eval ... using (process_guid, process_integrity_level)
Stage 4: rename
rename
Stage 5: join
join type=inner (...)
Stage 6: where
where (elevated_integrity_level> OR user!=)
Stage 7: fields
fields count, dest, firstTime, lastTime, orig_parent_process, orig_parent_process_guid, orig_parent_process_name, parent_process, parent_process_current_directory, parent_process_guid, parent_process_integrity_level, parent_process_name, parent_process_path, process, process_current_directory, process_guid, process_integrity_level, process_name, process_path, src_user, user
Stage 8: search
search
Stage 9: search
search
Stage 10: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | in | "*$", "*LOCAL SERVICE", "*NETWORK SERVICE", "*SYSTEM", "DWM-*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.parent_process_path | in |
|
Processes.process_integrity_level | in |
|
Processes.process_path | in |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Privilege Escalation User Process Spawn System Process (adds 1 filter)