66 lines
1.6 KiB
YAML
66 lines
1.6 KiB
YAML
title: Privilege Escalation via [TECHNIQUE]
|
|
id: GENERATE-NEW-UUID
|
|
status: experimental
|
|
description: Detects privilege escalation attempts using [specific technique]
|
|
references:
|
|
- https://attack.mitre.org/tactics/TA0004/
|
|
author: Your Name
|
|
date: 2024/01/20
|
|
modified: 2024/01/20
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1068 # Replace with specific technique
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
# Define your detection criteria
|
|
# IntegrityLevel: 'High'
|
|
# ParentIntegrityLevel: 'Medium'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate software updates
|
|
- System administration tools
|
|
level: high
|
|
fields:
|
|
- User
|
|
- IntegrityLevel
|
|
- CommandLine
|
|
- ParentImage
|
|
|
|
# Common Privilege Escalation Techniques:
|
|
#
|
|
# T1055 - Process Injection
|
|
# detection:
|
|
# selection:
|
|
# EventID: 8 # CreateRemoteThread
|
|
# TargetImage|endswith:
|
|
# - '\lsass.exe'
|
|
# - '\explorer.exe'
|
|
#
|
|
# T1134 - Access Token Manipulation
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4703 # Token adjusted
|
|
# EnabledPrivilegeList|contains:
|
|
# - 'SeDebugPrivilege'
|
|
# - 'SeTakeOwnershipPrivilege'
|
|
#
|
|
# T1548.002 - Bypass User Account Control
|
|
# detection:
|
|
# selection:
|
|
# ParentImage|endswith:
|
|
# - '\fodhelper.exe'
|
|
# - '\eventvwr.exe'
|
|
# IntegrityLevel: 'High'
|
|
# ParentIntegrityLevel: 'Medium'
|
|
#
|
|
# T1068 - Exploitation for Privilege Escalation
|
|
# detection:
|
|
# selection:
|
|
# CommandLine|contains:
|
|
# - 'JuicyPotato'
|
|
# - 'PrintSpoofer'
|
|
# - 'GodPotato'
|