Process Created with a Duplicated Token

 1[metadata]
 2creation_date = "2023/10/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new
11process with a different token to escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Process Created with a Duplicated Token"
18references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"]
19risk_score = 47
20rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Privilege Escalation",
27    "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33/* This rule is only compatible with Elastic Endpoint 8.4+ */
34
35process where host.os.type == "windows" and event.action == "start" and
36
37 user.id : ("S-1-5-21-*", "S-1-12-1-*") and
38
39 (process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or
40  process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and
41
42 (
43  process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe",
44                  "tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or
45
46  ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and
47   not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
48   not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))
49 ) and
50 not (process.name : "rundll32.exe" and
51      process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*",
52                              "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*",
53                              "*shell32.dll,SHCreateLocalServerRunDll*")) and
54 not startswith~(process.Ext.effective_parent.name, process.parent.name) and 
55 not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and 
56 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and 
57 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and 
58 not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and 
59      process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe"))
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1134"
67name = "Access Token Manipulation"
68reference = "https://attack.mitre.org/techniques/T1134/"
69[[rule.threat.technique.subtechnique]]
70id = "T1134.001"
71name = "Token Impersonation/Theft"
72reference = "https://attack.mitre.org/techniques/T1134/001/"
73
74[[rule.threat.technique.subtechnique]]
75id = "T1134.002"
76name = "Create Process with Token"
77reference = "https://attack.mitre.org/techniques/T1134/002/"
78
79
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"