LOLBin Escalation Vector
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
Detects abuse of tools like PsExec, PAExec, or NirCmd by SYSTEM accounts combined with privilege escalation alerts. This signifies attackers leveraging trusted utilities (LOLBins) to elevate privileges and bypass controls post-compromise.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (PROCESSNAME endswith "psexec.exe,PsExec64.exe,nircmd.exe,nircmdc.exe,paexec.exe" OR ORIGINALFILENAME = "PsExec.c,nircmd.exe,paexec.exe")
Action2:
actionname = "Detection Events" AND (NAME = "suspicious activity" AND MITRETACTIC = "privilege escalation" AND MITRETECHNIQUE = "abuse elevation control mechanism" AND USERNAME endswith "$") AND ENDPOINT_NAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME
sequence:Action1 followedby Action2 within 10m
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.NAME,Action2.SEVERITYLEVEL,Action2.FILE_NAME,Action2.FILEPATH,Action2.ENDPOINT_NAME,Action2.DOMAIN,Action2.USERNAME,Action2.PATTERN,Action2.OUTCOME,Action2.MITRETACTIC,Action2.MITRETECHNIQUE,Action2.CATEGORY,Action2.COMMANDLINE
Detection
Execution Mode
realtime
Log Sources
CrowdStrike Falcon


