FalconFriday — Privilege Escalations to SYSTEM — 0xFF13

Post-Image

FalconFriday — Privilege Escalations to SYSTEM — 0xFF13

Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges, and spawn child processes that do have SYSTEM privileges.

TL;DR for blue teams: Using the simple MDE query provided in this article, various Windows privilege escalations to SYSTEM can be detected.

TL;DR for red teams: Certain privilege escalation techniques are easier to detect than you might think. Think twice before using an exploit to escalate to SYSTEM, especially if child processes are spawned.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-privilege-escalations-to-system-0xff13-cf0bbc4e7d23

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday