LOLBin Escalation Vector

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

Detects abuse of tools like PsExec, PAExec, or NirCmd by SYSTEM accounts combined with privilege escalation alerts. This signifies attackers leveraging trusted utilities (LOLBins) to elevate privileges and bypass controls post-compromise.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (PROCESSNAME endswith "psexec.exe,PsExec64.exe,nircmd.exe,nircmdc.exe,paexec.exe" OR ORIGINALFILENAME = "PsExec.c,nircmd.exe,paexec.exe") Action2: actionname = "Detection Events" AND (NAME = "suspicious activity" AND MITRETACTIC = "privilege escalation" AND MITRETECHNIQUE = "abuse elevation control mechanism" AND USERNAME endswith "$") AND ENDPOINT_NAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 10m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.NAME,Action2.SEVERITYLEVEL,Action2.FILE_NAME,Action2.FILEPATH,Action2.ENDPOINT_NAME,Action2.DOMAIN,Action2.USERNAME,Action2.PATTERN,Action2.OUTCOME,Action2.MITRETACTIC,Action2.MITRETECHNIQUE,Action2.CATEGORY,Action2.COMMANDLINE

Detection

Execution Mode

realtime

Log Sources

CrowdStrike Falcon