Interactive Logon by an Unusual Process

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation  ·
Share on: linkedin copy

Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/04"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new
11token to escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Interactive Logon by an Unusual Process"
18references = ["https://attack.mitre.org/techniques/T1134/002/"]
19risk_score = 73
20rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad"
21setup = """## Setup
22
23Audit event 4624 is needed to trigger this rule.
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "high"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37authentication where 
38 host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and 
39 winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and 
40 winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*")  and process.executable : "C:\\*" and 
41 not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and 
42 not process.executable : 
43            ("?:\\Windows\\System32\\winlogon.exe", 
44             "?:\\Windows\\System32\\wininit.exe", 
45             "?:\\Program Files\\*.exe", 
46             "?:\\Program Files (x86)\\*.exe", 
47             "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe", 
48             "?:\\Windows\\System32\\inetsrv\\w3wp.exe", 
49             "?:\\Windows\\SysWOW64\\msiexec.exe")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1134"
57name = "Access Token Manipulation"
58reference = "https://attack.mitre.org/techniques/T1134/"
59[[rule.threat.technique.subtechnique]]
60id = "T1134.002"
61name = "Create Process with Token"
62reference = "https://attack.mitre.org/techniques/T1134/002/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1134.003"
66name = "Make and Impersonate Token"
67reference = "https://attack.mitre.org/techniques/T1134/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0004"
73name = "Privilege Escalation"
74reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top