title: Privilege Escalation via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects privilege escalation attempts using [specific technique]
references:
    - https://attack.mitre.org/tactics/TA0004/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - attack.privilege_escalation
    - attack.t1068  # Replace with specific technique
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Define your detection criteria
        # IntegrityLevel: 'High'
        # ParentIntegrityLevel: 'Medium'
    condition: selection
falsepositives:
    - Legitimate software updates
    - System administration tools
level: high
fields:
    - User
    - IntegrityLevel
    - CommandLine
    - ParentImage

# Common Privilege Escalation Techniques:
#
# T1055 - Process Injection
# detection:
#     selection:
#         EventID: 8  # CreateRemoteThread
#         TargetImage|endswith:
#             - '\lsass.exe'
#             - '\explorer.exe'
#
# T1134 - Access Token Manipulation
# detection:
#     selection:
#         EventID: 4703  # Token adjusted
#         EnabledPrivilegeList|contains:
#             - 'SeDebugPrivilege'
#             - 'SeTakeOwnershipPrivilege'
#
# T1548.002 - Bypass User Account Control
# detection:
#     selection:
#         ParentImage|endswith:
#             - '\fodhelper.exe'
#             - '\eventvwr.exe'
#         IntegrityLevel: 'High'
#         ParentIntegrityLevel: 'Medium'
#
# T1068 - Exploitation for Privilege Escalation
# detection:
#     selection:
#         CommandLine|contains:
#             - 'JuicyPotato'
#             - 'PrintSpoofer'
#             - 'GodPotato'