https://feed.craftedsignal.io/vendors/teamviewer-germany-gmbh/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 19:11:31 +0000https://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/Tue, 12 May 2026 19:11:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.This detection rule identifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary. The technique, often referred to as token theft, allows adversaries to escalate privileges and bypass access controls by creating a new process with a different token. The rule focuses on detecting instances where a process is initiated with the SYSTEM user ID (S-1-5-18) and its effective parent process is a privileged Microsoft native binary located in a standard Windows directory. This activity is indicative of an attempt to hijack a legitimate system process’s token for malicious purposes. This can lead to full system compromise.

Attack Chain

1. An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
2. The attacker identifies a privileged Windows process, such as a service running as SYSTEM, as a target for token theft.
3. The attacker uses the CreateProcessWithTokenW API (or similar) to create a new process.
4. The new process is configured to run under the security context (token) of the targeted privileged process.
5. The attacker then executes malicious code within the context of the newly created process.
6. This malicious code now operates with SYSTEM-level privileges, bypassing normal access controls.
7. The attacker can then use these elevated privileges to install malware, modify system settings, or steal sensitive data.
8. Finally, the adversary achieves persistence and control of the system.

Impact

Successful exploitation allows attackers to perform any action on the system with the highest privileges. This includes installing malware, accessing sensitive data, creating new user accounts with administrative rights, and disabling security controls. The impact is a complete compromise of the affected system. The Elastic rule has a risk score of 73 and is classified as high severity.

Recommendation

• Enable Elastic Defend to collect the necessary process creation events, as specified in the setup instructions.
• Deploy the provided Sigma rule to your SIEM to detect processes created with elevated tokens. Tune the rule based on observed false positives in your environment.
• Investigate any alerts generated by the Sigma rule by examining the process tree, focusing on the user.id, process.executable, process.parent.executable, and process.Ext.effective_parent.executable fields as outlined in the rule’s note section.
• Review and validate any exceptions before implementing them, ensuring that the exact child/parent/effective-parent pattern is stable for the same host or managed host group, and avoid broad exceptions.

]]>highadvisoryprivilege-escalationtoken-theftwindowshttps://feed.craftedsignal.io/briefs/2026-05-privilege-elevation-via-ppid-spoofing/Tue, 12 May 2026 19:10:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-privilege-elevation-via-ppid-spoofing/This rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.This detection identifies a technique known as parent process ID (PPID) spoofing used to elevate privileges on Windows systems. PPID spoofing involves creating a new process with a spoofed parent process ID to evade process monitoring defenses or gain higher privileges. This is achieved by manipulating the UpdateProcThreadAttribute API. The detection specifically looks for processes running as SYSTEM (user.id : "S-1-5-18") where the real parent PID (process.parent.Ext.real.pid) differs from the reported parent PID, which could indicate spoofing. The rule aims to identify privilege escalation attempts while excluding common false positives like Windows Error Reporting, update processes, and certain third-party software. This behavior matters for defenders because successful PPID spoofing can allow attackers to execute malicious code with elevated privileges, potentially leading to complete system compromise.

Attack Chain

1. An attacker gains initial access to the system, potentially through exploitation of a vulnerability or social engineering.
2. The attacker executes a malicious program or script designed to perform PPID spoofing.
3. The malicious program uses the UpdateProcThreadAttribute API to set a custom parent process ID (PPID) for a new process.
4. The attacker attempts to create a new process with SYSTEM privileges, often through the seclogon service. The new process inherits the spoofed PPID.
5. The system creates the new process with the specified (spoofed) parent PID, while the Ext.real.pid reflects the true creator process.
6. The spoofed process executes malicious commands, leveraging SYSTEM privileges. This could involve installing backdoors, modifying system configurations, or stealing sensitive data.
7. The attacker attempts to move laterally within the network, utilizing the compromised system as a launchpad.
8. The final objective could be data exfiltration, ransomware deployment, or long-term persistence within the environment.

Impact

Successful PPID spoofing can grant attackers SYSTEM-level privileges, allowing them to perform virtually any action on the compromised system. This can lead to data theft, system corruption, or the installation of persistent backdoors. A single compromised system can serve as a beachhead for further attacks within the network. The potential damage includes significant financial losses, reputational damage, and disruption of business operations. The rule is designed to detect this activity before significant damage occurs by identifying the initial elevation of privileges via PPID spoofing.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect potential PPID spoofing attempts, focusing on the processes running as SYSTEM with mismatched parent PIDs (process.parent.Ext.real.pid vs process.parent.pid).
• Enable process creation logging with full command-line auditing to capture the necessary data for the Sigma rules to function effectively.
• Investigate any alerts generated by the Sigma rules by examining the parent and child processes, as well as the user context and command-line arguments.
• Implement application control policies to restrict the execution of unauthorized or untrusted executables, mitigating the risk of malicious code execution via PPID spoofing.
• Review and harden the configuration of systems with elevated privileges to minimize the potential impact of successful privilege escalation attacks.
• Tune the Sigma rules based on your environment to reduce false positives by excluding known-benign processes and applications.
• Consult the references for more context on PPID spoofing and mitigation strategies.

]]>highadvisoryprivilege-escalationwindowsppid-spoofing