Sigma Rules
801 rules found for "privilege-escalation"
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
Suspicious Driver Install by pnputil.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Potential DLL Injection Or Execution Using Tracker.exe
Detects potential DLL injection and execution using "Tracker.exe"
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Password Provided In Command Line Of Net.EXE
Detects a when net.exe is called with a password in the command line
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
PUA - Wsudo Suspicious Execution
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Modify Group Policy Settings
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Regsvr32 DLL Execution With Uncommon Extension
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Suspicious NTLM Authentication on the Printer Spooler Service
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Rundll32 Registered COM Objects
load malicious registered COM objects
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
New Service Creation Using Sc.EXE
Detects the creation of a new service using the "sc.exe" utility.
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.