A process executed under the SYSTEM user context that was initiated by a process with lower privileges may indicate a local privilege escalation attempt via exploit techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary exploitation of misconfigured or compromised local accounts.
KQL Query
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
| parse EventData with * 'IntegrityLevel">' IntegrityLevel "<" * 'ParentUser">' ParentUser "<" *
| where IntegrityLevel in ("System") and not(ParentUser in ("NT AUTHORITY\\NETWORK SERVICE","-","NT AUTHORITY\\SYSTEM","NT AUTHORITY\\LOCAL SERVICE"))
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'CommandLine">' CommandLine "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ParentUser, ParentImage, ParentCommandLine, ParentProcessGuid, IntegrityLevel, UserName, Image, CommandLine, ProcessGuid
id: a78b826e-f2d1-42f9-b21b-20cf3bc2d391
name: Potential Local Exploitation for Privilege Escalation
description: |
'This query detects a process that runs under SYSTEM user's security context and was spawned by a process that was running under a lower security context indicating an exploitation for privilege escalation.
Ref: https://attack.mitre.org/techniques/T1068/'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Execution
relevantTechniques:
- T1068
query: |
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
| parse EventData with * 'IntegrityLevel">' IntegrityLevel "<" * 'ParentUser">' ParentUser "<" *
| where IntegrityLevel in ("System") and not(ParentUser in ("NT AUTHORITY\\NETWORK SERVICE","-","NT AUTHORITY\\SYSTEM","NT AUTHORITY\\LOCAL SERVICE"))
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'CommandLine">' CommandLine "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ParentUser, ParentImage, ParentCommandLine, ParentProcessGuid, IntegrityLevel, UserName, Image, CommandLine, ProcessGuid
Scenario: A system update or patching tool (e.g., wusa.exe or msiexec.exe) is executed by a local admin account, which then spawns a process under the SYSTEM context as part of the update process.
Filter/Exclusion: Check for processes associated with known update tools or use the CommandLine field to exclude known legitimate command lines like "C:\Windows\System32\wusa.exe" /quiet /norestart or "msiexec.exe" /i "update.msi".
Scenario: A scheduled task (e.g., schtasks.exe) configured by an admin to run under SYSTEM context for maintenance purposes (e.g., disk cleanup, log rotation).
Filter/Exclusion: Use the ProcessName field to exclude schtasks.exe when it is known to be running scheduled tasks, or filter by the ParentProcessName to exclude legitimate parent processes like services.exe.
Scenario: A legitimate administrative tool (e.g., taskmgr.exe, regedit.exe, or mmc.exe) is launched by a user with admin rights, which then spawns a process under SYSTEM context to perform a system-wide configuration change.
Filter/Exclusion: Use the ProcessName field to exclude known administrative tools, or check the CommandLine for known legitimate administrative actions (e.g., regedit.exe with a specific registry path).
Scenario: A third-party application (e.g., sqlservr.exe or java.exe) is configured to run under SYSTEM context for performance or security reasons, and it spawns child processes that appear suspicious.
Filter/Exclusion: Use the ProcessName field to exclude known third-party services or applications that are known to run under SYSTEM, or check the ParentProcessName to ensure it’s a legitimate service process.
**Scenario