-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-01-004.yaml
33 lines (33 loc) · 1.51 KB
/
CAR-2021-01-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
---
title: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
submission_date: 2020/12/03
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Anomaly
contributors:
- Cyware Labs
id: CAR-2021-01-004
description: |
After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
coverage:
- technique: T1068
coverage: Low
tactics:
- TA0004
implementations:
- name: Splunk search - Unusual Child Process For Spoolsv.exe Or Connhost.exe
description: This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity.
code: |
(index=__your_sysmon_index__ EventCode=1) (Image=C:\\Windows\\System32\\spoolsv.exe* OR Image=C:\\Windows\\System32\\conhost.exe) ParentImage = "C:\\Windows\\System32\\cmd.exe"
data_model: Sysmon native
type: Splunk
data_model_references:
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis