Date: 04/08/2025
Severity: Medium
Summary
"Elevated System Shell Spawned" refers to the detection of shell programs like Windows Command Prompt or PowerShell being launched with system privileges. This event is flagged as potentially suspicious and is used to monitor for unauthorized or malicious activity involving elevated access to the system.
Indicators of Compromise (IOC) List
Processname | '\powershell.exe' '\powershell_ise.exe' '\pwsh.exe' '\cmd.exe' |
OriginalFileName | 'PowerShell.EXE' 'powershell_ise.EXE' 'pwsh.dll' 'Cmd.Exe' |
User | 'AUTHORI' 'AUTORI' |
LogonId | '0x3e7' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourcename in ("Windows Security") AND eventtype = "4688") AND processname IN ("\powershell.exe","\powershell_ise.exe","\pwsh.exe","\cmd.exe") AND (user like "AUTHORI" OR user like "AUTORI") AND logonid like "0x3e7") |
Detection Query 2 | (technologygroup = "EDR" AND processname IN ("\powershell.exe","\powershell_ise.exe","\pwsh.exe","\cmd.exe") AND (user like "AUTHORI" OR user like "AUTORI") AND logonid like "0x3e7") |
Detection Query 3 | (resourcename = "Sysmon" AND eventtype = "1" AND filename IN ("PowerShell.EXE","powershell_ise.EXE","pwsh.dll","Cmd.Exe") AND processname IN ("\powershell.exe","\powershell_ise.exe","\pwsh.exe","\cmd.exe") AND (user like "AUTHORI" OR user like "AUTORI") AND logonid like "0x3e7") |
Detection Query 4 | (technologygroup = "EDR" AND filename IN ("PowerShell.EXE","powershell_ise.EXE","pwsh.dll","Cmd.Exe") AND processname IN ("\powershell.exe","\powershell_ise.exe","\pwsh.exe","\cmd.exe") AND (user like "AUTHORI" OR user like "AUTORI") AND logonid like "0x3e7") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml