Windows Privilege Escalation System Process Without System Parent

Author: Steven Dick
Source: upstream

The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1068` Exploitation for Privilege Escalation, `T1134` Access Token Manipulation, `T1548` Abuse Elevation Control Mechanism
Defense Evasion	`T1134` Access Token Manipulation, `T1548` Abuse Elevation Control Mechanism

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `search`

search NOT ParentUser IN ("*$", "*DWM-*", "*LOCAL SERVICE", "*NETWORK SERVICE", "*SYSTEM", "-") EventCode=1 IntegrityLevel="system" ParentUser="*"

Stage 2: `eval`

eval ... using (ParentUser)

Stage 3: `stats`

stats BY action, dest, original_file_name, parent_process, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_guid, process_hash, process_id, process_integrity_level, process_name, process_path, user, user_id, vendor_product, src_user

Stage 4: `search`

search

Stage 5: `search`

search

Stage 6: `search`

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`ParentUser`	in	`"$"`, `"DWM-"`, `"LOCAL SERVICE"`, `"NETWORK SERVICE"`, `"SYSTEM"`, `"-"`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`1` corpus 3 (splunk 3)
`IntegrityLevel`	eq	`"system"` corpus 2 (splunk 2)
`ParentUser`	eq	`*`

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Detect Remote Access Software Usage FileInfo [splunk] (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)