Process Creation via Secondary Logon
Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to
11escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Process Creation via Secondary Logon"
18references = ["https://attack.mitre.org/techniques/T1134/002/"]
19risk_score = 47
20rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266"
21setup = """## Setup
22
23Audit events 4624 and 4688 are needed to trigger this rule.
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
33type = "eql"
34
35query = '''
36sequence by winlog.computer_name with maxspan=1m
37
38[authentication where event.action:"logged-in" and
39 event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and
40
41 /* seclogon service */
42 process.name == "svchost.exe" and
43 winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId
44
45[process where event.type == "start"] by winlog.event_data.TargetLogonId
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1134"
53name = "Access Token Manipulation"
54reference = "https://attack.mitre.org/techniques/T1134/"
55[[rule.threat.technique.subtechnique]]
56id = "T1134.002"
57name = "Create Process with Token"
58reference = "https://attack.mitre.org/techniques/T1134/002/"
59
60[[rule.threat.technique.subtechnique]]
61id = "T1134.003"
62name = "Make and Impersonate Token"
63reference = "https://attack.mitre.org/techniques/T1134/003/"
64
65
66
67[rule.threat.tactic]
68id = "TA0004"
69name = "Privilege Escalation"
70reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
S0456 Aria-body Aria-body has the ability to execute a process using runas.[2] S0344 Azorult Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system priv...
Read More
Related rules
- Account Discovery Command via SYSTEM Account
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Expired or Revoked Driver Loaded