FalconFriday — Privilege Escalations to SYSTEM

FalconFriday — Privilege Escalations to SYSTEM — 0xFF13

Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges and spawn child processes that do have SYSTEM privileges.

TL;DR for blue teams: Using the simple MDE query provided in this article, various Windows privilege escalations to SYSTEM can be detected.

TL;DR for red teams: Certain privilege escalation techniques are easier to detect than you might think. Think twice before using an exploit to escalate to SYSTEM, especially if child processes are spawned.

The most commonly used technique for running commands as SYSTEM is using PsExec or creating a service. These techniques are extensively covered by out-of-the-box detection rules in security products such as MDE.

However, there are also other techniques that allow a more direct escalation to SYSTEM which are not always detected as malicious. Examples of these techniques are abusing access privileges such as SeImpersonatePrivilege and stealing process tokens from other processes.

When researching these techniques we came up with an MDE detection rule that is so simple we can include it right here in the blog post:

DeviceProcessEvents
| where AccountSid == "S-1-5-18" // Sid for SYSTEM
| where not(InitiatingProcessAccountSid == AccountSid)
| where not(isempty(InitiatingProcessAccountSid))
| where InitiatingProcessIntegrityLevel != "System"
| where not(AdditionalFields contains "InitiatingProcessPosixSessionId") // Exclude POSIX events
| project-reorder Timestamp, DeviceName, FileName, InitiatingProcessCommandLine

The idea of the rule is to focus on the outcome of the privilege escalation, rather than the mechanism by which this outcome was achieved. The rule searches for processes that run as SYSTEM that were created from a process that was not running as SYSTEM.

When running this in our own lab environments we noticed this rule can identify various SYSTEM privilege escalation methods, for example:

Abuse of SeImpersonatePrivilege by offensive tools such as PrintSpoofer.
Stealing of process tokens from other processes by offensive tools such as PPLDump and PowerSploit Get-System.
The CobaltStrike Beacon GetSystem command is detected once a sub-process is spawned from the elevated beacon session.
Privilege escalation exploits for vulnerabilities such as CVE-2021–1732 could potentially be detected because they also spawn processes as SYSTEM from unprivileged processes.

What is interesting is that this rule also detects a number of tools that can escalate their privileges to SYSTEM which are not directly considered offensive tools:

The NirCmd tool from the famous NirSoft collection of tools provides a runassystem command that can escalate privileges to SYSTEM and execute a command.
There are some remote access tools such as TeamViewer and AnyDesk that use similar methods to escalate their privileges. This did not really come as a surprise since these tools often show up in results of our detection queries, due to the fact that these tools often use techniques very similar to techniques used by malware and offensive tools.

Hopefully this article shows that not all detections have to be complex KQL queries consisting of hundreds of lines of code, and that some simple detections can also be useful in detecting attacks.