Vendor
high
advisory
Privilege Elevation via Parent Process PID Spoofing
2 rules 1 TTPThis rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.
Elastic Endpoint +2
privilege-escalation
windows
ppid-spoofing
2r
1t
medium
advisory
Remote Execution via File Shares
2 rules 2 TTPsThis rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.
lateral-movement
file-share
windows
2r
2t
medium
advisory
Remote Execution via File Shares
2 rules 2 TTPsThe rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.
Elastic Defend
lateral-movement
file-shares
windows
2r
2t