Initial commit

skills/incident-response/detection-sigma/assets/rule-templates/privilege-escalation.yml

@@ -0,0 +1,65 @@
+title: Privilege Escalation via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects privilege escalation attempts using [specific technique]
+references:
+    - https://attack.mitre.org/tactics/TA0004/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1068  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # IntegrityLevel: 'High'
+        # ParentIntegrityLevel: 'Medium'
+    condition: selection
+falsepositives:
+    - Legitimate software updates
+    - System administration tools
+level: high
+fields:
+    - User
+    - IntegrityLevel
+    - CommandLine
+    - ParentImage
+
+# Common Privilege Escalation Techniques:
+#
+# T1055 - Process Injection
+# detection:
+#     selection:
+#         EventID: 8  # CreateRemoteThread
+#         TargetImage|endswith:
+#             - '\lsass.exe'
+#             - '\explorer.exe'
+#
+# T1134 - Access Token Manipulation
+# detection:
+#     selection:
+#         EventID: 4703  # Token adjusted
+#         EnabledPrivilegeList|contains:
+#             - 'SeDebugPrivilege'
+#             - 'SeTakeOwnershipPrivilege'
+#
+# T1548.002 - Bypass User Account Control
+# detection:
+#     selection:
+#         ParentImage|endswith:
+#             - '\fodhelper.exe'
+#             - '\eventvwr.exe'
+#         IntegrityLevel: 'High'
+#         ParentIntegrityLevel: 'Medium'
+#
+# T1068 - Exploitation for Privilege Escalation
+# detection:
+#     selection:
+#         CommandLine|contains:
+#             - 'JuicyPotato'
+#             - 'PrintSpoofer'
+#             - 'GodPotato'