Windows Privilege Escalation System Process Without System Parent

name: Windows Privilege Escalation System Process Without System Parent
id: 5a5351cd-ba7e-499e-ad82-2ce160ffa637
version: 10
creation_date: '2024-02-14'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.
data_source:
    - Sysmon EventID 1
search: '`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime by action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product src_user | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`'
how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.
known_false_positives: No false positives have been identified at this time.
references:
    - https://attack.mitre.org/techniques/T1068/
    - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor
    - https://redcanary.com/blog/getsystem-offsec/
    - https://atomicredteam.io/privilege-escalation/T1134.001/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$src_user$"
      search: '%original_detection_search% | search  dest = "$dest$" src_user = "$src_user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$src_user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.
    entity:
        field: src_user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.
threat_objects:
    - field: process_name
      type: process_name
analytic_story:
    - Windows Privilege Escalation
    - BlackSuit Ransomware
asset_type: Endpoint
mitre_attack_id:
    - T1068
    - T1548
    - T1134
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      name: True Positive Test
      test_type: unit