Potential Escalation via Vulnerable MSI Repair
Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/12"
3integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process.
13This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.
14"""
15references = [
16 "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/",
17 "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014"
18]
19from = "now-9m"
20index = [
21 "winlogbeat-*",
22 "endgame-*",
23 "logs-endpoint.events.process-*",
24 "logs-windows.sysmon_operational-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-m365_defender.event-*"
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Potential Escalation via Vulnerable MSI Repair"
31risk_score = 73
32rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278"
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Privilege Escalation",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: Sysmon",
42 "Data Source: SentinelOne",
43 "Data Source: Microsoft Defender for Endpoint"
44]
45timestamp_override = "event.ingested"
46type = "eql"
47query = '''
48process where event.type == "start" and host.os.type == "windows" and
49 user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and
50 process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe",
51 "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and
52 process.parent.command_line : "*go.microsoft.com*"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1068"
60name = "Exploitation for Privilege Escalation"
61reference = "https://attack.mitre.org/techniques/T1068/"
62
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1218"
74name = "System Binary Proxy Execution"
75reference = "https://attack.mitre.org/techniques/T1218/"
76[[rule.threat.technique.subtechnique]]
77id = "T1218.007"
78name = "Msiexec"
79reference = "https://attack.mitre.org/techniques/T1218/007/"
80
81
82
83[rule.threat.tactic]
84id = "TA0005"
85name = "Defense Evasion"
86reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to escalate their privileges to SYSTEM rights. This vulnerability is referenced as CVE-2024-38014.
Read More
Related rules
- Persistence via Update Orchestrator Service Hijack
- Bypass UAC via Event Viewer
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification