Potential Privilege Escalation via InstallerFileTakeOver

  1[metadata]
  2creation_date = "2021/11/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation
 11allows an unprivileged user to escalate privileges to SYSTEM.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Privilege Escalation via InstallerFileTakeOver"
 18references = ["https://github.com/klinix5/InstallerFileTakeOver"]
 19risk_score = 73
 20rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Privilege Escalation",
 27    "Resources: Investigation Guide",
 28    "Use Case: Vulnerability",
 29    "Data Source: Elastic Defend",
 30]
 31timestamp_override = "event.ingested"
 32type = "eql"
 33
 34query = '''
 35process where host.os.type == "windows" and event.type == "start" and
 36    process.Ext.token.integrity_level_name : "System" and
 37    (
 38      (process.name : "elevation_service.exe" and
 39       not process.pe.original_file_name == "elevation_service.exe") or
 40      
 41      (process.name : "elevation_service.exe" and
 42       not process.code_signature.trusted == true) or
 43
 44      (process.parent.name : "elevation_service.exe" and
 45       process.name : ("rundll32.exe", "cmd.exe", "powershell.exe"))
 46    ) and
 47    not
 48    (
 49      process.name : "elevation_service.exe" and process.code_signature.trusted == true and
 50      process.pe.original_file_name == null
 51    )
 52'''
 53
 54note = """## Triage and analysis
 55
 56### Investigating Potential Privilege Escalation via InstallerFileTakeOver
 57
 58#### Possible investigation steps
 59
 60- Which alert path fired: a suspect service binary or a service-spawned child?
 61  - Focus: alert-local `process.name`, `process.executable`, `process.command_line`, `process.parent.executable`, and `process.Ext.token.integrity_level_name`.
 62  - Implication: escalate when SYSTEM "elevation_service.exe" runs outside "%ProgramFiles% or %ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\<version>\\elevation_service.exe" or starts "cmd.exe", "powershell.exe", or "rundll32.exe"; lower suspicion only for a genuine Edge service start with no shell child.
 63- Is the elevation service binary genuine Microsoft content?
 64  - Focus: compare service `process.executable`, `process.pe.original_file_name`, `process.hash.sha256`, `process.code_signature.subject_name`, and `process.code_signature.trusted`; for child alerts, recover the parent service start on `host.id` with `process.parent.entity_id` and compare those fields there.
 65  - Hint: if a child alert lacks parent hash or signer details, recover the parent service process start with entity or PID fallback. $investigate_0
 66  - Implication: escalate when original filename is not "elevation_service.exe", signer is not Microsoft, trust fails, or the same hash appears from a user-writable path; lower suspicion only when path, filename, signer, trust, and hash history fit the expected Microsoft Edge service.
 67- Does lineage show Windows Installer takeover rather than normal Edge servicing?
 68  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.parent.code_signature.subject_name`, `process.parent.code_signature.trusted`, and broader process lineage when needed.
 69  - Implication: escalate when an MSI, temp, or user-session chain leads to the SYSTEM service or shell; lower suspicion when Microsoft-signed Edge installer or updater lineage starts the genuine service with servicing arguments and no shell.
 70- Do recovered file events show service overwrite or PoC staging artifacts?
 71  - Focus: if file telemetry exists, open host-scoped file events, then filter to the recovered service or child `process.entity_id`; if entity IDs are absent, use `host.id` plus service `process.pid` or `process.parent.pid` and the alert window. Review `file.path`, `file.Ext.original.path`, and writing `process.executable`. $investigate_2
 72  - Range: start 30 minutes before the alert because MSI administrative-install staging can precede service execution.
 73  - Implication: escalate when the Edge service path is overwritten or PoC artifacts such as the "microsoft plz" temp folder, temp MSI, or "elevation_service.exe" file creation cluster around the alert; treat those names as corroborators, not required evidence. Missing file telemetry is unresolved, not benign.
 74  - Hint: modified variants may omit PoC names; keep this centered on service replacement and MSI staging when names differ.
 75- What did the SYSTEM service or spawned child do next?
 76  - Focus: descendant process starts on the same `host.id` from `process.entity_id` or `process.parent.entity_id`, especially `process.name`, `process.command_line`, and `process.Ext.token.integrity_level_name`. $investigate_1
 77  - Implication: escalate when SYSTEM context launches credential-access, persistence, payload staging, or remote-execution tooling; keep scope near the privilege-escalation event only when the service or shell produces no follow-on SYSTEM activity.
 78- If local findings remain suspicious or unresolved, do related alerts show broader exploitation?
 79  - Focus: related alerts for the same `host.id` in the last 48 hours, especially service tampering, suspicious MSI, credential access, or follow-on execution. $investigate_3
 80  - Hint: compare `user.id` only when it identifies a non-SYSTEM actor; otherwise keep broadened review host-scoped and use lineage to avoid over-attributing the operator. $investigate_4
 81  - Implication: broaden response when the same host or user shows privilege-escalation or post-exploitation alerts; quiet related-alert review does not close unresolved local evidence.
 82- Escalate on identity mismatch, MSI/user lineage, service overwrite, SYSTEM shell, or follow-on activity; close only when all evidence fits genuine Microsoft Edge service identity with no shell behavior or verified validation/detonation; preserve artifacts and escalate when evidence is mixed or telemetry is missing.
 83
 84### False positive analysis
 85
 86- Authorized exploit validation, red-team work, detection-content testing, malware research, or incident-response detonation can trigger this rule on lab or disposable analysis hosts. Confirm `process.hash.sha256`, service `process.executable`, parent `process.parent.executable`, child `process.command_line`, recovered temp-artifact pattern, and bounded `host.id` cohort match the same test kit or analysis-host cohort. If change, test, or sandbox records are unavailable, require the same telemetry pattern across prior alerts from this rule before closing as benign.
 87- Before creating an exception, keep `process.hash.sha256`, `process.executable`, `process.parent.executable`, child `process.command_line`, `host.id`, and the recovered temp-artifact pattern stable across prior alerts from this rule. Avoid exceptions on `process.name`, `process.parent.name`, or "elevation_service.exe" alone because those values overlap real service abuse.
 88
 89### Response and remediation
 90
 91- If confirmed benign, reverse temporary containment and record the validation or analysis workflow that matched the alert, including the stable `process.hash.sha256`, service `process.executable`, parent `process.parent.executable`, child `process.command_line`, recovered artifact pattern, and bounded `host.id` cohort. Create an exception only after the same pattern recurs across prior alerts from this rule.
 92- If suspicious but unconfirmed, preserve the case export, process tree with service and child entity IDs, service binary and hash identity, spawned-shell command line, and recovered service-overwrite or temp-artifact timeline before containment or cleanup. Apply reversible containment first, such as heightened monitoring or host isolation when the asset role permits it; terminate the spawned shell only after capture, and escalate to isolation if follow-on SYSTEM activity or spread appears.
 93- If confirmed malicious, use the preserved identity, lineage, artifact, and follow-on evidence to isolate the endpoint or escalate to the team that can contain it. Before replacing or deleting files, collect the overwritten service binary, temp MSI or recovered PoC artifacts, and spawned-shell timeline. Review related hosts and users for the same hash or service-path pattern, then restore the genuine Edge elevation service binary and remove only attacker payloads, persistence, or configuration changes identified during scoping.
 94- Post-incident hardening: verify Windows Installer and Edge components are patched, restrict unnecessary MSI administrative-install paths where possible, retain process and file telemetry long enough to reconstruct service replacement, and record the service-path, temp-artifact, and child-shell pattern for future response.
 95"""
 96
 97setup = """## Setup
 98
 99This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
100
101Setup instructions: https://ela.st/install-elastic-defend
102"""
103
104[rule.investigation_fields]
105field_names = [
106    "@timestamp",
107    "host.id",
108    "user.id",
109    "process.entity_id",
110    "process.pid",
111    "process.executable",
112    "process.command_line",
113    "process.pe.original_file_name",
114    "process.code_signature.subject_name",
115    "process.code_signature.trusted",
116    "process.hash.sha256",
117    "process.Ext.token.integrity_level_name",
118    "process.Ext.relative_file_creation_time",
119    "process.parent.executable",
120    "process.parent.command_line",
121]
122
123[transform]
124
125[[transform.investigate]]
126label = "Parent elevation service process start"
127description = ""
128providers = [
129  [
130    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
131    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
132    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
133  ],
134  [
135    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
136    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
137    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" }
138  ]
139]
140relativeFrom = "now-1h"
141relativeTo = "now"
142
143[[transform.investigate]]
144label = "Child process starts from the alert process"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
149    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
150    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
151  ],
152  [
153    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
154    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
155    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
156  ]
157]
158relativeFrom = "now-1h"
159relativeTo = "now"
160
161[[transform.investigate]]
162label = "File events on this host near the alert"
163description = ""
164providers = [
165  [
166    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
167    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
168  ]
169]
170relativeFrom = "now-1h"
171relativeTo = "now"
172
173[[transform.investigate]]
174label = "Alerts associated with the host"
175description = ""
176providers = [
177  [
178    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
179    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
180  ]
181]
182relativeFrom = "now-48h/h"
183relativeTo = "now"
184
185[[transform.investigate]]
186label = "Alerts associated with the user"
187description = ""
188providers = [
189  [
190    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
191    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
192  ]
193]
194relativeFrom = "now-48h/h"
195relativeTo = "now"
196
197[[rule.threat]]
198framework = "MITRE ATT&CK"
199
200[[rule.threat.technique]]
201id = "T1068"
202name = "Exploitation for Privilege Escalation"
203reference = "https://attack.mitre.org/techniques/T1068/"
204
205[[rule.threat.technique]]
206id = "T1574"
207name = "Hijack Execution Flow"
208reference = "https://attack.mitre.org/techniques/T1574/"
209
210[rule.threat.tactic]
211id = "TA0004"
212name = "Privilege Escalation"
213reference = "https://attack.mitre.org/tactics/TA0004/"
214
215[[rule.threat]]
216framework = "MITRE ATT&CK"
217
218[[rule.threat.technique]]
219id = "T1036"
220name = "Masquerading"
221reference = "https://attack.mitre.org/techniques/T1036/"
222
223[[rule.threat.technique.subtechnique]]
224id = "T1036.005"
225name = "Match Legitimate Resource Name or Location"
226reference = "https://attack.mitre.org/techniques/T1036/005/"
227
228[rule.threat.tactic]
229id = "TA0005"
230name = "Defense Evasion"
231reference = "https://attack.mitre.org/tactics/TA0005/"