Product
high
advisory
Privileges Elevation via Parent Process PID Spoofing
1 TTPAdversaries utilize parent process ID (PPID) spoofing on Windows systems to create elevated child processes, typically to SYSTEM privileges, thereby evading process monitoring defenses and facilitating privilege escalation.
Windows Operating System
privilege-escalation
ppid-spoofing
windows
evasion
elastic-defend
1t
medium
advisory
Service Reconnaissance Via Wmic.EXE
1 rule 1 TTPAdversaries leverage the native Windows Management Instrumentation Command-line (WMIC) utility to perform service reconnaissance on remote systems, querying for existing services as a prelude to identifying potential targets for lateral movement or privilege escalation.
Windows Operating System
windows
reconnaissance
wmic
internal-recon
1r
1t