Process Creation via Secondary Logon
Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to
13escalate privileges and bypass access controls.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Process Creation via Secondary Logon"
20references = ["https://attack.mitre.org/techniques/T1134/002/"]
21risk_score = 47
22rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266"
23setup = """## Setup
24
25Audit events 4624 and 4688 are needed to trigger this rule.
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
28events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
29Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
30`event.ingested` to @timestamp.
31For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
32"""
33severity = "medium"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
35type = "eql"
36
37query = '''
38sequence by winlog.computer_name with maxspan=1m
39
40[authentication where event.action:"logged-in" and
41 event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and
42
43 /* seclogon service */
44 process.name == "svchost.exe" and
45 winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId
46
47[process where event.type == "start"] by winlog.event_data.TargetLogonId
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1134"
55name = "Access Token Manipulation"
56reference = "https://attack.mitre.org/techniques/T1134/"
57[[rule.threat.technique.subtechnique]]
58id = "T1134.002"
59name = "Create Process with Token"
60reference = "https://attack.mitre.org/techniques/T1134/002/"
61
62[[rule.threat.technique.subtechnique]]
63id = "T1134.003"
64name = "Make and Impersonate Token"
65reference = "https://attack.mitre.org/techniques/T1134/003/"
66
67
68
69[rule.threat.tactic]
70id = "TA0004"
71name = "Privilege Escalation"
72reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
S0456 Aria-body Aria-body has the ability to execute a process using runas.[2] S0344 Azorult Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system priv...
Read More
Related rules
- Access to a Sensitive LDAP Attribute
- FirstTime Seen Account Performing DCSync
- Group Policy Abuse for Privilege Addition
- Interactive Logon by an Unusual Process
- Kerberos Pre-authentication Disabled for User