Interactive Logon by an Unusual Process
Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/04"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new
13token to escalate privileges and bypass access controls.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Interactive Logon by an Unusual Process"
20references = ["https://attack.mitre.org/techniques/T1134/002/"]
21risk_score = 73
22rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad"
23setup = """## Setup
24
25Audit event 4624 is needed to trigger this rule.
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
28events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
29Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
30`event.ingested` to @timestamp.
31For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
32"""
33severity = "high"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System", "Resources: Investigation Guide"]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39authentication where
40 host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and
41 winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and
42 winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and process.executable : "C:\\*" and
43 not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and
44 not process.executable :
45 ("?:\\Windows\\System32\\winlogon.exe",
46 "?:\\Windows\\System32\\wininit.exe",
47 "?:\\Program Files\\*.exe",
48 "?:\\Program Files (x86)\\*.exe",
49 "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe",
50 "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
51 "?:\\Windows\\SysWOW64\\msiexec.exe")
52'''
53note = """## Triage and analysis
54
55> **Disclaimer**:
56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
57
58### Investigating Interactive Logon by an Unusual Process
59
60Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts.
61
62### Possible investigation steps
63
64- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths.
65- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity.
66- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated.
67- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity.
68- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance.
69
70### False positive analysis
71
72- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list.
73- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule.
74- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths.
75- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts.
76
77### Response and remediation
78
79- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
80- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes.
81- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse.
82- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary.
83- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats.
84- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated.
85- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary."""
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1134"
92name = "Access Token Manipulation"
93reference = "https://attack.mitre.org/techniques/T1134/"
94[[rule.threat.technique.subtechnique]]
95id = "T1134.002"
96name = "Create Process with Token"
97reference = "https://attack.mitre.org/techniques/T1134/002/"
98
99[[rule.threat.technique.subtechnique]]
100id = "T1134.003"
101name = "Make and Impersonate Token"
102reference = "https://attack.mitre.org/techniques/T1134/003/"
103
104
105
106[rule.threat.tactic]
107id = "TA0004"
108name = "Privilege Escalation"
109reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Interactive Logon by an Unusual Process
Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts.
Possible investigation steps
- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths.
- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity.
- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated.
- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity.
- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance.
False positive analysis
- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list.
- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule.
- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths.
- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes.
- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse.
- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary.
- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats.
- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated.
- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.
References
Related rules
- First Time Seen NewCredentials Logon Process
- Persistence via TelemetryController Scheduled Task Hijack
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential Privileged Escalation via SamAccountName Spoofing
- Process Creation via Secondary Logon