← Back to SOC feed Coverage →

Suspicious Child Process Created as System

sigma HIGH SigmaHQ
T1134.002
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Detection Rule

Sigma (Original)

title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
    - https://github.com/antonioCoco/RogueWinRM
    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
logsource:
    category: process_creation
    product: windows
    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
    selection:
        ParentUser|contains:
            - 'AUTHORI'
            - 'AUTORI'
        ParentUser|endswith:
            - '\NETWORK SERVICE'
            - '\LOCAL SERVICE'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        User|endswith: # System
            - '\SYSTEM'
            - '\Système'
            - '\СИСТЕМА'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'DavSetCookie'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ActorUsername contains "AUTHORI" or ActorUsername contains "AUTORI") and (ActorUsername endswith "\\NETWORK SERVICE" or ActorUsername endswith "\\LOCAL SERVICE") and (TargetUsername contains "AUTHORI" or TargetUsername contains "AUTORI") and (TargetUsername endswith "\\SYSTEM" or TargetUsername endswith "\\Système" or TargetUsername endswith "\\СИСТЕМА") and (TargetProcessIntegrityLevel in~ ("System", "S-1-16-16384"))) and (not((TargetProcessName endswith "\\rundll32.exe" and TargetProcessCommandLine contains "DavSetCookie")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml