Vendor
high
advisory
Privilege Elevation via Parent Process PID Spoofing
2 rules 1 TTPThis rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.
Elastic Endpoint +2
privilege-escalation
windows
ppid-spoofing
2r
1t
medium
advisory
Suspicious Module Loaded by LSASS for Credential Access
2 rules 2 TTPsDetection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.
credential-access
lsass
windows
2r
2t