Process Creation via Secondary Logon

  1[metadata]
  2creation_date = "2022/08/30"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to
 11escalate privileges and bypass access controls.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Process Creation via Secondary Logon"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Process Creation via Secondary Logon
 24
 25The Secondary Logon service in Windows allows users to run processes with different credentials, facilitating legitimate administrative tasks. However, adversaries can exploit this to escalate privileges by creating processes with alternate tokens, bypassing access controls. The detection rule identifies such abuse by monitoring successful logins via the Secondary Logon service and subsequent process creation, linking them through unique logon identifiers.
 26
 27### Possible investigation steps
 28
 29- Review the event logs for the specific TargetLogonId to identify the user account associated with the process creation and verify if the account is authorized to use alternate credentials.
 30- Examine the source IP address "::1" to confirm if the process creation originated from the local machine, which might indicate a local privilege escalation attempt.
 31- Investigate the process name "svchost.exe" to determine if it is being used legitimately or if it has been exploited for malicious purposes, such as running unauthorized services.
 32- Check the sequence of events within the 1-minute maxspan to identify any unusual or suspicious activities that occurred immediately before or after the process creation.
 33- Correlate the detected activity with other security alerts or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.
 34
 35### False positive analysis
 36
 37- Legitimate administrative tasks using the Secondary Logon service can trigger alerts. To manage this, identify and whitelist specific administrative accounts or tasks that frequently use this service for legitimate purposes.
 38- Scheduled tasks or automated scripts that use alternate credentials for routine operations may cause false positives. Review and exclude these tasks by creating exceptions for known scripts or scheduled jobs.
 39- Internal IT support activities often involve using alternate credentials for troubleshooting or maintenance. Document and exclude these activities by maintaining a list of support personnel and their typical actions.
 40- Software updates or installations that require elevated privileges might be flagged. Monitor and exclude these processes by identifying and documenting the update mechanisms used within the organization.
 41- Development or testing environments where alternate credentials are used for testing purposes can generate alerts. Exclude these environments by setting up specific rules that recognize and ignore these non-production activities.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 46- Terminate any suspicious processes identified as being created via the Secondary Logon service, especially those linked to the unique logon identifiers from the alert.
 47- Review and revoke any alternate credentials or tokens used in the suspicious process creation to prevent further misuse.
 48- Conduct a thorough examination of the affected system for additional signs of compromise, such as unauthorized user accounts or changes to system configurations.
 49- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
 50- Implement stricter access controls and monitoring on the Secondary Logon service to detect and prevent similar privilege escalation attempts in the future.
 51- Update and reinforce endpoint detection and response (EDR) solutions to enhance monitoring of process creation events and logon activities, ensuring they are aligned with the latest threat intelligence."""
 52references = ["https://attack.mitre.org/techniques/T1134/002/"]
 53risk_score = 47
 54rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266"
 55setup = """## Setup
 56
 57Audit events 4624 and 4688 are needed to trigger this rule.
 58"""
 59severity = "medium"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Privilege Escalation",
 65    "Data Source: Windows Security Event Logs",
 66    "Resources: Investigation Guide",
 67]
 68type = "eql"
 69
 70query = '''
 71sequence by winlog.computer_name with maxspan=1m
 72
 73[authentication where event.action:"logged-in" and
 74 event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and
 75
 76 /* seclogon service */
 77 process.name == "svchost.exe" and
 78 winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId
 79
 80[process where event.type == "start"] by winlog.event_data.TargetLogonId
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1134"
 88name = "Access Token Manipulation"
 89reference = "https://attack.mitre.org/techniques/T1134/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1134.002"
 92name = "Create Process with Token"
 93reference = "https://attack.mitre.org/techniques/T1134/002/"
 94
 95[[rule.threat.technique.subtechnique]]
 96id = "T1134.003"
 97name = "Make and Impersonate Token"
 98reference = "https://attack.mitre.org/techniques/T1134/003/"
 99
100
101
102[rule.threat.tactic]
103id = "TA0004"
104name = "Privilege Escalation"
105reference = "https://attack.mitre.org/tactics/TA0004/"