Local Account TokenFilter Policy Disabled

  1[metadata]
  2creation_date = "2022/11/01"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by
 13default) and is set to 1, then remote connections from all local members of Administrators are granted full
 14high-integrity tokens during negotiation.
 15"""
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Local Account TokenFilter Policy Disabled"
 21references = [
 22    "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439",
 23    "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167",
 24    "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf",
 25]
 26risk_score = 47
 27rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076"
 28severity = "medium"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Defense Evasion",
 34    "Tactic: Lateral Movement",
 35    "Data Source: Elastic Endgame",
 36    "Data Source: Elastic Defend",
 37    "Data Source: Sysmon",
 38    "Data Source: SentinelOne",
 39    "Data Source: Microsoft Defender for Endpoint",
 40    "Resources: Investigation Guide"
 41]
 42timestamp_override = "event.ingested"
 43type = "eql"
 44
 45query = '''
 46registry where host.os.type == "windows" and event.type == "change" and
 47  registry.value : "LocalAccountTokenFilterPolicy" and
 48  registry.path : (
 49    "HKLM\\*\\LocalAccountTokenFilterPolicy",
 50    "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy",
 51    "MACHINE\\*\\LocalAccountTokenFilterPolicy"
 52  ) and registry.data.strings : ("1", "0x00000001")
 53'''
 54note = """## Triage and analysis
 55
 56> **Disclaimer**:
 57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 58
 59### Investigating Local Account TokenFilter Policy Disabled
 60
 61The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled, allows remote connections from local administrators to use full high-integrity tokens. Adversaries may exploit this to bypass User Account Control (UAC) and gain elevated privileges remotely. The detection rule monitors changes to this registry setting, identifying potential unauthorized modifications that could indicate an attempt to facilitate lateral movement or evade defenses.
 62
 63### Possible investigation steps
 64
 65- Review the registry event logs to confirm the change to the LocalAccountTokenFilterPolicy setting, specifically looking for entries where the registry.value is "LocalAccountTokenFilterPolicy" and registry.data.strings is "1" or "0x00000001".
 66- Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information.
 67- Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement.
 68- Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity.
 69- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat.
 70- Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change.
 71
 72### False positive analysis
 73
 74- Administrative tools or scripts that modify the LocalAccountTokenFilterPolicy for legitimate configuration purposes may trigger alerts. To manage this, identify and document these tools, then create exceptions for their known registry changes.
 75- System updates or patches that adjust registry settings as part of their installation process can cause false positives. Monitor update schedules and correlate alerts with these activities to determine if they are benign.
 76- Security software or management solutions that enforce policy changes across endpoints might modify this registry setting. Verify these actions with your IT or security team and consider excluding these processes from triggering alerts.
 77- Custom scripts or automation tasks used for system hardening or configuration management may alter this setting. Review these scripts and whitelist their expected changes to prevent unnecessary alerts.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 82- Revert the registry setting for LocalAccountTokenFilterPolicy to its default state if it was modified without authorization.
 83- Conduct a thorough review of recent administrative activities and access logs on the affected system to identify any unauthorized access or changes.
 84- Reset passwords for all local administrator accounts on the affected system to prevent potential misuse of compromised credentials.
 85- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings.
 86- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign.
 87- Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1112"
 94name = "Modify Registry"
 95reference = "https://attack.mitre.org/techniques/T1112/"
 96
 97[[rule.threat.technique]]
 98id = "T1562"
 99name = "Impair Defenses"
100reference = "https://attack.mitre.org/techniques/T1562/"
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1550"
113name = "Use Alternate Authentication Material"
114reference = "https://attack.mitre.org/techniques/T1550/"
115[[rule.threat.technique.subtechnique]]
116id = "T1550.002"
117name = "Pass the Hash"
118reference = "https://attack.mitre.org/techniques/T1550/002/"
119
120
121
122[rule.threat.tactic]
123id = "TA0008"
124name = "Lateral Movement"
125reference = "https://attack.mitre.org/tactics/TA0008/"