Vendor
high
advisory
Process Created with an Elevated Token via Token Theft
2 rules 1 TTPThis rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.
privilege-escalation
token-theft
windows
2r
1t
high
advisory
Privilege Elevation via Parent Process PID Spoofing
2 rules 1 TTPThis rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.
Elastic Endpoint +2
privilege-escalation
windows
ppid-spoofing
2r
1t