Sigma Rules
801 rules found for "privilege-escalation"
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Suspect Svchost Activity
It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
Permission Check Via Accesschk.EXE
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".