Interactive Logon by an Unusual Process

  1[metadata]
  2creation_date = "2023/12/04"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new
 11token to escalate privileges and bypass access controls.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Interactive Logon by an Unusual Process"
 18references = ["https://attack.mitre.org/techniques/T1134/002/"]
 19risk_score = 73
 20rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Privilege Escalation",
 27    "Data Source: Windows Security Event Logs",
 28    "Resources: Investigation Guide",
 29]
 30timestamp_override = "event.ingested"
 31type = "eql"
 32
 33query = '''
 34authentication where
 35 host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and
 36 winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and
 37 winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*")  and process.executable : "C:\\*" and
 38 not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and
 39 not process.executable :
 40            ("?:\\Windows\\System32\\winlogon.exe",
 41             "?:\\Windows\\System32\\wininit.exe",
 42             "?:\\Program Files\\*.exe",
 43             "?:\\Program Files (x86)\\*.exe",
 44             "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe",
 45             "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
 46             "?:\\Windows\\SysWOW64\\msiexec.exe")
 47'''
 48
 49note = """## Triage and analysis
 50
 51### Investigating Interactive Logon by an Unusual Process
 52#### Possible investigation steps
 53
 54- Did Advapi create an interactive logon for a different target identity?
 55  - Focus: `winlog.logon.type`, `winlog.event_data.LogonProcessName`, `winlog.event_data.SubjectUserSid`, `winlog.event_data.TargetUserSid`, and `host.id`.
 56  - Implication: escalate when Advapi creates a different Target session without recognized credential-switch use; lower suspicion only for bounded runas or helper use on this host. Subject initiated the action; Target received the session or token.
 57- Which process requested the alternate-credential session?
 58  - Focus: `process.executable`, `process.name`, `process.pid`, `winlog.event_data.SubjectUserName`, and `winlog.event_data.SubjectDomainName`.
 59  - Implication: escalate when the requester is user-writable, temporary, renamed, or unrelated to credential switching; lower suspicion only for System32 runas.exe or a recognized helper tied to the same Subject. Process identity alone does not clear token creation.
 60- Did the Target session create privileged or linked-token access?
 61  - Focus: `winlog.event_data.TargetUserSid`, `winlog.event_data.TargetLogonId`, `winlog.event_data.TargetLinkedLogonId`, `winlog.event_data.ElevatedToken`, and `winlog.event_data.ImpersonationLevel`.
 62  - Implication: escalate on a privileged or unusual Target account, elevated token, linked session, or impersonation-capable token. Keep unresolved when the Target cannot be tied to the requesting Subject and process; a recognized requester does not clear elevated Target token state.
 63- Did explicit-credential records show who supplied Target credentials?
 64  - Focus: same-host 4648 records using `winlog.event_data.SubjectLogonId`; read `winlog.event_data.TargetUserName`, `winlog.event_data.TargetDomainName`, `winlog.event_data.TargetServerName`, and `source.ip`.
 65  - Hint: make-token tooling may leave only Advapi, different Subject/Target SIDs, and Target session fields; do not require endpoint command-line evidence before escalation. $investigate_0
 66  - Implication: escalate when 4648 shows the same Subject session presenting Target credentials to an unexpected server or non-local origin. Local or absent `source.ip` can occur in make-token cases and must be weighed with requester, identity pair, and token state; missing Security telemetry is unresolved, not benign.
 67- Did the created Target session show follow-on success or authentication-method signals?
 68  - Focus: same-host 4624 and 4634 records using `winlog.event_data.TargetLogonId`; read `winlog.event_data.TargetUserSid`, `winlog.event_data.AuthenticationPackageName`, and `source.ip`.
 69  - Implication: escalate on unexpected authentication package use, repeated successful session activity, or a non-local origin that contradicts local workflow; absent or local source details should be weighed with Target-token evidence. Missing 4624/4634 telemetry is unresolved, not benign.
 70    - $investigate_1
 71    - $investigate_2
 72- What activity is tied to the created Target logon session?
 73  - Focus: same-host events carrying `winlog.event_data.TargetLogonId`, especially process, privilege, or authentication records tied to the Target identity. $investigate_3
 74  - Implication: escalate when the Target session performs privileged operations, starts unexpected processes, or chains authentication; no follow-on telemetry narrows activity only when the requester, identity pair, and token state are otherwise explained.
 75- If local evidence remains suspicious or unresolved, do related alerts change scope?
 76  - Focus: recent alerts for the same `host.id`, Subject SID, and Target SID.
 77    - $investigate_4
 78    - $investigate_5
 79    - $investigate_6
 80  - Implication: broaden scope when related alerts show credential access, privilege escalation, persistence, or lateral movement tied to the host or either identity; quiet alert history cannot close unresolved token/session evidence.
 81- Escalate on unauthorized Subject-to-Target token creation; close only when the identity pair, requester, Target token, and Security records all bind to one recognized workflow; if mixed, preserve records and use related alerts plus recent session activity to scope the case.
 82
 83### False positive analysis
 84
 85- Recognized runas, enterprise PAM or credential-broker helpers, and authorized assessment can trigger this rule from monitored admin hosts. Confirm `process.executable`, Subject and Target identities, `host.id`, and explicit-credential or session records bind to the same workflow or validation scope; contradictory Target token details block benign closure.
 86- Build exceptions only from the minimum confirmed pattern, such as `process.executable` plus `winlog.event_data.SubjectUserSid`, `winlog.event_data.TargetUserSid`, and a bounded `host.id` or host group. Avoid exceptions on `process.name`, `user.name`, or the Target account alone.
 87
 88### Response and remediation
 89
 90- If confirmed benign, document the evidence categories, reverse temporary containment, and create only the narrow exception described above.
 91- If suspicious but unconfirmed, export the alert and surrounding Windows Security records, preserve the requesting process image and Subject-to-Target session context, and collect the referenced executable before containment.
 92- Apply reversible containment first: restrict the affected account or host session, increase monitoring on the involved `host.id` and identities, and weigh host criticality before isolation.
 93- If confirmed malicious, preserve the executable referenced by `process.executable`, session records, and Subject/Target identifiers, then contain involved hosts or accounts and invalidate active sessions.
 94- Reset or rotate Target credentials only when compromise or unauthorized use is supported; treat Subject as the operator or requesting context before disabling it.
 95- Eradicate only confirmed token-abuse tooling or credential material, review local privilege assignments that allowed the session, and retain Windows Security events needed to reconstruct Subject-to-Target token creation."""
 96
 97setup = """## Setup
 98
 99Audit Logon must be enabled to generate the events used by this rule.
100Setup instructions: https://ela.st/audit-logon
101"""
102
103[rule.investigation_fields]
104field_names = [
105    "@timestamp",
106    "host.id",
107    "process.name",
108    "process.executable",
109    "process.pid",
110    "winlog.logon.type",
111    "winlog.event_data.LogonProcessName",
112    "winlog.event_data.ImpersonationLevel",
113    "winlog.event_data.ElevatedToken",
114    "winlog.event_data.SubjectUserSid",
115    "winlog.event_data.SubjectUserName",
116    "winlog.event_data.SubjectLogonId",
117    "winlog.event_data.TargetUserSid",
118    "winlog.event_data.TargetLogonId",
119    "winlog.event_data.TargetLinkedLogonId",
120]
121
122[transform]
123
124[[transform.investigate]]
125label = "Explicit-credential events from the subject session"
126description = ""
127providers = [
128  [
129    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
130    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" },
131    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
132  ]
133]
134relativeFrom = "now-1h"
135relativeTo = "now"
136
137[[transform.investigate]]
138label = "Target logon records for the created session"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
143    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
144    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.TargetLogonId}}", valueType = "string" }
145  ]
146]
147relativeFrom = "now-1h"
148relativeTo = "now"
149
150[[transform.investigate]]
151label = "Target logoff records for the created session"
152description = ""
153providers = [
154  [
155    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
156    { excluded = false, field = "event.code", queryType = "phrase", value = "4634", valueType = "string" },
157    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.TargetLogonId}}", valueType = "string" }
158  ]
159]
160relativeFrom = "now-1h"
161relativeTo = "now"
162
163[[transform.investigate]]
164label = "Events for the created target logon session"
165description = ""
166providers = [
167  [
168    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
169    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.TargetLogonId}}", valueType = "string" }
170  ],
171  [
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
173    { excluded = false, field = "winlog.logon.id", queryType = "phrase", value = "{{winlog.event_data.TargetLogonId}}", valueType = "string" }
174  ]
175]
176relativeFrom = "now-1h"
177relativeTo = "now"
178
179[[transform.investigate]]
180label = "Alerts associated with the host"
181description = ""
182providers = [
183  [
184    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
185    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
186  ]
187]
188relativeFrom = "now-48h/h"
189relativeTo = "now"
190
191[[transform.investigate]]
192label = "Alerts associated with the subject identity"
193description = ""
194providers = [
195  [
196    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
197    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
198  ],
199  [
200    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
201    { excluded = false, field = "user.id", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
202  ]
203]
204relativeFrom = "now-48h/h"
205relativeTo = "now"
206
207[[transform.investigate]]
208label = "Alerts associated with the target identity"
209description = ""
210providers = [
211  [
212    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
213    { excluded = false, field = "winlog.event_data.TargetUserSid", queryType = "phrase", value = "{{winlog.event_data.TargetUserSid}}", valueType = "string" }
214  ],
215  [
216    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
217    { excluded = false, field = "user.id", queryType = "phrase", value = "{{winlog.event_data.TargetUserSid}}", valueType = "string" }
218  ]
219]
220relativeFrom = "now-48h/h"
221relativeTo = "now"
222
223[[rule.threat]]
224framework = "MITRE ATT&CK"
225
226[[rule.threat.technique]]
227id = "T1134"
228name = "Access Token Manipulation"
229reference = "https://attack.mitre.org/techniques/T1134/"
230
231[[rule.threat.technique.subtechnique]]
232id = "T1134.002"
233name = "Create Process with Token"
234reference = "https://attack.mitre.org/techniques/T1134/002/"
235
236[[rule.threat.technique.subtechnique]]
237id = "T1134.003"
238name = "Make and Impersonate Token"
239reference = "https://attack.mitre.org/techniques/T1134/003/"
240
241[rule.threat.tactic]
242id = "TA0004"
243name = "Privilege Escalation"
244reference = "https://attack.mitre.org/tactics/TA0004/"