Permission Theft - Prevented - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4promotion = true
 5updated_date = "2025/03/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
11rule.reference column for additional information.
12"""
13from = "now-2m"
14index = ["endgame-*"]
15interval = "1m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 1000
19name = "Permission Theft - Prevented - Elastic Endgame"
20risk_score = 47
21rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
22setup = """## Setup
23
24### Additional notes
25
26For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
27"""
28severity = "medium"
29tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
35'''
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Permission Theft - Prevented - Elastic Endgame
42
43Elastic Endgame is a security solution that prevents unauthorized access by monitoring and blocking attempts to manipulate access tokens, a common privilege escalation tactic. Adversaries exploit token manipulation to gain elevated permissions without detection. The detection rule identifies and alerts on prevention events related to token protection, leveraging specific event types and actions to flag suspicious activities, thus mitigating potential threats.
44
45### Possible investigation steps
46
47- Review the alert details to confirm the event.kind is 'alert' and event.module is 'endgame', ensuring the alert is relevant to Elastic Endgame's token protection.
48- Examine the event.action and endgame.event_subtype_full fields to determine if the alert was triggered by a 'token_protection_event', which indicates an attempt to manipulate access tokens.
49- Investigate the source and destination of the alert by analyzing associated IP addresses, user accounts, and hostnames to identify potential unauthorized access attempts.
50- Check the endgame.metadata.type field to verify that the event type is 'prevention', confirming that the attempted permission theft was successfully blocked.
51- Correlate the alert with other recent alerts or logs to identify patterns or repeated attempts that might indicate a persistent threat actor.
52- Assess the risk score and severity level to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
53
54### False positive analysis
55
56- Routine administrative tasks involving legitimate token manipulation may trigger alerts. Review the context of the event to determine if it aligns with expected administrative activities.
57- Scheduled scripts or automated processes that require token access might be flagged. Identify these processes and consider creating exceptions for known, safe operations.
58- Software updates or installations that involve token changes can generate alerts. Verify the source and purpose of the update to ensure it is authorized, and exclude these events if they are part of regular maintenance.
59- Security tools or monitoring solutions that interact with tokens for legitimate purposes may cause false positives. Cross-reference with known tool activities and whitelist these actions if they are verified as non-threatening.
60- User behavior analytics might misinterpret legitimate user actions as suspicious. Analyze user activity patterns and adjust the detection thresholds or rules to better align with normal user behavior.
61
62### Response and remediation
63
64- Immediately isolate the affected system to prevent further unauthorized access or privilege escalation attempts.
65- Revoke any potentially compromised access tokens and force re-authentication for affected accounts to ensure that only legitimate users regain access.
66- Conduct a thorough review of recent access logs and token usage to identify any unauthorized access or actions taken by the adversary.
67- Apply patches or updates to the affected systems and applications to address any vulnerabilities that may have been exploited for token manipulation.
68- Implement enhanced monitoring on the affected systems to detect any further attempts at access token manipulation or privilege escalation.
69- Notify the security team and relevant stakeholders about the incident, providing details of the threat and actions taken, and escalate to higher management if the threat level increases.
70- Review and update access control policies and token management practices to prevent similar incidents in the future, ensuring that only necessary permissions are granted and regularly audited."""
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1134"
77name = "Access Token Manipulation"
78reference = "https://attack.mitre.org/techniques/T1134/"
79
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"