Interactive Logon by an Unusual Process
Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/04"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new
11token to escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Interactive Logon by an Unusual Process"
18references = ["https://attack.mitre.org/techniques/T1134/002/"]
19risk_score = 73
20rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad"
21setup = """## Setup
22
23Audit event 4624 is needed to trigger this rule.
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "high"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37authentication where
38 host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and
39 winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and
40 winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and process.executable : "C:\\*" and
41 not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and
42 not process.executable :
43 ("?:\\Windows\\System32\\winlogon.exe",
44 "?:\\Windows\\System32\\wininit.exe",
45 "?:\\Program Files\\*.exe",
46 "?:\\Program Files (x86)\\*.exe",
47 "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe",
48 "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
49 "?:\\Windows\\SysWOW64\\msiexec.exe")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1134"
57name = "Access Token Manipulation"
58reference = "https://attack.mitre.org/techniques/T1134/"
59[[rule.threat.technique.subtechnique]]
60id = "T1134.002"
61name = "Create Process with Token"
62reference = "https://attack.mitre.org/techniques/T1134/002/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1134.003"
66name = "Make and Impersonate Token"
67reference = "https://attack.mitre.org/techniques/T1134/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0004"
73name = "Privilege Escalation"
74reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Access to a Sensitive LDAP Attribute
- Bypass UAC via Event Viewer
- First Time Seen NewCredentials Logon Process
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User