Process Created with a Duplicated Token

 1[metadata]
 2creation_date = "2023/10/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time"
 6min_stack_version = "8.4.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new
13process with a different token to escalate privileges and bypass access controls.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Process Created with a Duplicated Token"
20references = [
21    "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
22]
23risk_score = 47
24rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31/* This rule is only compatible with Elastic Endpoint 8.4+ */
32
33process where host.os.type == "windows" and event.action == "start" and
34
35 user.id : ("S-1-5-21-*", "S-1-12-1-*") and
36
37 (process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or
38  process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and
39
40 (
41  process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe",
42                  "tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or
43
44  ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and
45   not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
46   not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))
47 ) and
48 not (process.name : "rundll32.exe" and
49      process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*",
50                              "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*",
51                              "*shell32.dll,SHCreateLocalServerRunDll*")) and
52 not startswith~(process.Ext.effective_parent.name, process.parent.name) and 
53 not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and 
54 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and 
55 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and 
56 not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and 
57      process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe"))
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1134"
65name = "Access Token Manipulation"
66reference = "https://attack.mitre.org/techniques/T1134/"
67
68[[rule.threat.technique.subtechnique]]
69id = "T1134.001"
70name = "Token Impersonation/Theft"
71reference = "https://attack.mitre.org/techniques/T1134/001/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1134.002"
75name = "Create Process with Token"
76reference = "https://attack.mitre.org/techniques/T1134/002/"
77
78
79
80[rule.threat.tactic]
81id = "TA0004"
82name = "Privilege Escalation"
83reference = "https://attack.mitre.org/tactics/TA0004/"