From 2e977a68bdce5e0f82fa18433785108b0c6c7cbb Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 28 Jan 2026 11:48:36 +0100
Subject: [PATCH] feat(rules): Add Suspicious child process integrity level
 rule

Identifies the execution of the parent process running with low/medium integrity level that spawns a child process with the system integrity level. Because normal user-mode applications at lower integrity levels rarely legitimately create new processes running with SYSTEM privileges, this pattern is a strong indicator of privilege escalation or token manipulation where an attacker abuses a privileged token to execute code.
---
 ...spicious_child_process_integrity_level.yml | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 rules/privilege_escalation_suspicious_child_process_integrity_level.yml

diff --git a/rules/privilege_escalation_suspicious_child_process_integrity_level.yml b/rules/privilege_escalation_suspicious_child_process_integrity_level.yml
new file mode 100644
index 000000000..7439c1baa
--- /dev/null
+++ b/rules/privilege_escalation_suspicious_child_process_integrity_level.yml
@@ -0,0 +1,44 @@
+name: Suspicious child process integrity level
+id: b958e949-a16a-4d66-b008-15f4e8382a6e
+version: 1.0.0
+description: |
+  Identifies the execution of the parent process running with low/medium integrity 
+  level that spawns a child process with the system integrity level. Because normal 
+  user-mode applications at lower integrity levels rarely legitimately create new 
+  processes running with SYSTEM privileges, this pattern is a strong indicator of 
+  privilege escalation or token manipulation where an attacker abuses a privileged 
+  token to execute code.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1134
+  technique.name: Access Token Manipulation
+  technique.ref: https://attack.mitre.org/techniques/T1134/
+  subtechnique.id: T1134.002
+  subtechnique.name: Create Process with Token 
+  subtechnique.ref: https://attack.mitre.org/techniques/T1134/002/
+
+condition: >
+  sequence
+  maxspan 8m
+    |spawn_process and ps.token.integrity_level in ('LOW', 'MEDIUM')| by ps.uuid
+    |spawn_process and
+     ps.sid = 'S-1-5-18' and
+     ps.token.integrity_level = 'SYSTEM' and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\System32\\wermgr.exe',
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\SysWOW64\\WerFault.exe',
+                  '?:\\Windows\\System32\\WerFaultSecure.exe'
+                )
+    | by ps.parent.uuid
+action:
+  - name: kill
+
+output: >
+  Suspicious process %1.ps.exe spawned the process %2.ps.exe with System integrity level
+severity: critical
+
+min-engine-version: 3.0.0