Permission Theft - Detected - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4promotion = true
 5updated_date = "2025/03/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
11rule.reference column for additional information.
12"""
13from = "now-2m"
14index = ["endgame-*"]
15interval = "1m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 1000
19name = "Permission Theft - Detected - Elastic Endgame"
20risk_score = 73
21rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
22setup = """## Setup
23
24### Additional notes
25
26For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
27"""
28severity = "high"
29tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
35'''
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Permission Theft - Detected - Elastic Endgame
42
43Elastic Endgame is a security solution that monitors and detects unauthorized access attempts, focusing on privilege escalation tactics like access token manipulation. Adversaries exploit this by stealing or forging tokens to gain elevated permissions. The detection rule identifies suspicious token-related events, flagging high-risk activities indicative of permission theft, thus enabling timely threat response.
44
45### Possible investigation steps
46
47- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's detection capabilities.
48- Examine the event.action and endgame.event_subtype_full fields for token_protection_event to identify the specific token manipulation activity that triggered the alert.
49- Investigate the source and destination user accounts involved in the alert to determine if there are any unauthorized access attempts or privilege escalations.
50- Check for any recent changes or anomalies in the permissions or roles associated with the affected accounts to assess potential impact.
51- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.
52- Consult the MITRE ATT&CK framework for additional context on the Access Token Manipulation technique (T1134) to understand potential adversary behaviors and mitigation strategies.
53
54### False positive analysis
55
56- Routine administrative tasks involving token management can trigger alerts. Review and document these tasks to create exceptions for known safe activities.
57- Automated scripts or services that frequently access tokens for legitimate purposes may be flagged. Identify these scripts and whitelist them to prevent unnecessary alerts.
58- Software updates or installations that require elevated permissions might be detected as suspicious. Monitor these events and adjust detection rules to accommodate regular update schedules.
59- Internal security tools that perform token manipulation for testing or monitoring purposes can cause false positives. Ensure these tools are recognized and excluded from detection rules.
60- User behavior analytics might misinterpret legitimate user actions as threats. Regularly update user profiles and behavior baselines to minimize false alerts.
61
62### Response and remediation
63
64- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
65- Revoke any compromised or suspicious access tokens identified in the alert to prevent further misuse of elevated permissions.
66- Conduct a thorough review of recent account activities associated with the compromised tokens to identify any unauthorized actions or changes.
67- Reset passwords and enforce multi-factor authentication for accounts involved in the incident to enhance security and prevent future unauthorized access.
68- Restore any altered or deleted data from backups, ensuring that the restored data is free from any malicious modifications.
69- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been affected.
70- Implement enhanced monitoring and logging for token-related activities to detect and respond to similar threats more effectively in the future."""
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1134"
77name = "Access Token Manipulation"
78reference = "https://attack.mitre.org/techniques/T1134/"
79
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"