feat(rules): Add Potential privilege escalation via DeadPotato exploit rule

Detects potential privilege escalation activity consistent with the DeadPotato
exploit. Attackers can abuse the DCOM RPCSS service flaw to start an elevated
process allowing unrestricted access over the machine for critical operations to
be freely performed.

Author: rabbitstack

rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml

@@ -0,0 +1,33 @@
+name: Potential privilege escalation via DeadPotato exploit
+id: 3911130a-b71c-4994-a7c3-5ae07dc0abe0
+version: 1.0.0
+description: |
+  Detects potential privilege escalation activity consistent with the DeadPotato
+  exploit. Attackers can abuse the DCOM RPCSS service flaw to start an elevated
+  process allowing unrestricted access over the machine for critical operations to
+  be freely performed.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1068
+  technique.name: Exploitation for Privilege Escalation
+  technique.ref: https://attack.mitre.org/techniques/T1068/
+references:
+  - https://github.com/lypd0/DeadPotato
+
+condition: >
+  sequence
+  maxspan 1m
+    |connect_socket and
+     ps.name = 'svchost.exe' and ps.args intersects ('-k', 'RPCSS') and
+     net.dport = 135 and (net.dip = 127.0.0.1 or net.dip = '::1')
+    |
+    |spawn_process and
+     ps.token.integrity_level = 'SYSTEM' and
+     ps.exe not imatches '?:\\WINDOWS\\system32\\conhost.exe'
+    |
+
+severity: high
+
+min-engine-version: 3.0.0