Potential Escalation via Vulnerable MSI Repair

  1[metadata]
  2creation_date = "2024/09/12"
  3integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This
 11may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "endgame-*",
 17    "logs-endpoint.events.process-*",
 18    "logs-windows.sysmon_operational-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-m365_defender.event-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Potential Escalation via Vulnerable MSI Repair"
 25references = [
 26    "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/",
 27    "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014",
 28]
 29risk_score = 73
 30rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Privilege Escalation",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Data Source: SentinelOne",
 41    "Data Source: Microsoft Defender XDR",
 42    "Resources: Investigation Guide",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48process where event.type == "start" and host.os.type == "windows" and
 49 user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and
 50 process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe",
 51                        "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and
 52 process.parent.command_line : "*go.microsoft.com*"
 53'''
 54
 55note = """## Triage and analysis
 56
 57### Investigating Potential Escalation via Vulnerable MSI Repair
 58#### Possible investigation steps
 59
 60- What did the elevated browser parent launch?
 61  - Why: MSI repair abuse can expose a SYSTEM browser through a help-link redirect; a non-browser child marks the privilege-escalation boundary.
 62  - Focus: `process.parent.command_line`, `process.name`, `process.executable`, `process.command_line`, and `process.Ext.token.integrity_level_name`.
 63  - Implication: escalate when a Microsoft Help-tied browser launches a SYSTEM or high-integrity shell, script host, installer, admin utility, file manager, or user-writable binary; lower concern only when the command line shows a browser-internal role, path and signer match the parent browser family, and no non-browser child appears in the alert window.
 64- Does the lineage fit an MSI repair-to-help-link path?
 65  - Focus: `process.parent.entity_id`, `process.parent.pid`, surrounding `process.name`, and `process.command_line`.
 66  - Implication: escalate when ancestry or surrounding starts show MSI repair, installer custom actions, console activity, or an unexpected SYSTEM browser before the child; lower concern when the chain stays inside browser self-maintenance without repair, console, or custom-action ancestry.
 67  - Hint: recover the parent browser event first. If parentage is incomplete, inspect `process.Ext.ancestry`; if entity IDs are absent, use `host.id`, `process.parent.pid`, and a tight alert window. $investigate_0
 68- Is the child process identity expected for the host and signer?
 69  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.Ext.relative_file_creation_time`.
 70  - Implication: escalate when the child runs from a user-writable or temporary path, has a mismatched original file name, lacks a trusted signer, or was recently created; lower concern only when signer, path, age, and browser parent context all fit the same recognized component.
 71- What follow-on process activity came from the same SYSTEM browser or spawned child?
 72  - Focus: same-host starts from the browser `process.parent.entity_id` or child `process.entity_id`: `process.name`, `process.command_line`, and `process.Ext.token.integrity_level_name`.
 73  - Implication: escalate when the browser or child launches shells, scripts, persistence or administration tools, additional installers, or chained SYSTEM processes; keep scope local when activity stops at browser helpers with no privileged child chain.
 74  - Hint: prefer `host.id` plus parent or child `process.entity_id`; use `host.id`, `process.pid`, and a tight window only when entity IDs are absent.
 75    - $investigate_1
 76    - $investigate_2
 77- Does the user and session context support interactive exploitation?
 78  - Focus: `user.id`, `user.name`, `user.domain`, `process.Ext.authentication_id`, and `process.Ext.session_info.logon_type`.
 79  - Implication: escalate when a low-privileged or unexpected interactive session is tied to the SYSTEM browser-to-child chain; a pre-existing user browser usually breaks the SYSTEM child path, so a SYSTEM or high-integrity child tied to an interactive session is severity-changing. Lower concern only when process evidence maps to controlled repair validation or browser-helper behavior.
 80- Does process telemetry show the same SYSTEM-browser-to-tool pattern beyond this process instance?
 81  - Focus: same `process.parent.command_line` redirect fragment, suspicious `process.name` or `process.executable`, `user.id`, and `host.id` across recent starts.
 82  - Implication: broaden when recent starts show the same non-browser child pattern across unrelated hosts or users; keep response scoped when telemetry shows only this browser parent, child command line, and no repeated non-browser descendants.
 83  - Hint: run this pivot only if child intent, lineage, or session context remains suspicious or unresolved. $investigate_3
 84- Based on the evidence gathered, what disposition is supported?
 85  - Escalate on SYSTEM or high-integrity browser-to-tool execution, MSI repair lineage, suspicious child identity, interactive session linkage, or repeated scope; close only for same-browser helper behavior with no non-browser descendants or an authorized test whose process facts exactly match scope. Preserve evidence and escalate when child intent, lineage, or session context is mixed or incomplete.
 86
 87### False positive analysis
 88
 89- Browser helper, renderer, GPU, updater, or crash subprocesses can trigger after a SYSTEM browser opens a Microsoft Help link. Confirm a browser-internal role, same browser family, installed-browser path and signer, and no shell, installer, file manager, or admin tool from the same parent.
 90- Authorized MSI repair security validation is benign only when `@timestamp`, `host.id`, `user.id`, the SYSTEM browser parent command line, and child command line match the exact exercise; outside records may corroborate but not replace process facts.
 91- Build exceptions from the minimum confirmed workflow: browser family and signer, exact redirect parent context, expected child executable or command pattern, `host.id`, and tightly scoped test or managed-repair cohort. Avoid exceptions on `user.domain`, browser name, or redirect URL alone.
 92
 93### Response and remediation
 94
 95- If confirmed benign, document the process evidence that proved the browser-helper or validation workflow, reverse any temporary containment, and create only the narrow exception described above if the same workflow recurs.
 96- If suspicious but unconfirmed, preserve the alert and Timeline/export records for the browser parent, child, ancestor chain, host, and user. Record command lines, `process.entity_id`, `process.parent.entity_id`, `host.id`, `user.id`, and any visible MSI package or vulnerable-application names before containment or process termination.
 97- Apply reversible containment first when findings remain suspicious: isolate the host if its business role allows, or restrict the affected account/session while preserving endpoint telemetry. Do not terminate the child process until its command line, parentage, and spawned descendants are recorded.
 98- If confirmed malicious, contain the host and affected account based on the process lineage and session evidence, then terminate the malicious child and descendants after recording their identifiers. Remove only the payloads, repair artifacts, or configuration changes identified during the investigation.
 99- Patch Windows Installer and the vulnerable application package involved in the repair path, verify that the affected OS has the relevant vendor security update for CVE-2024-38014, and repackage or disable repair flows that let low-privileged users reach elevated custom actions, console windows, or help-link execution.
100- Document the final evidence set, repair path, affected hosts, and any missing telemetry that limited certainty so future alerts can distinguish browser helper noise, authorized validation, and repeated exploitation."""
101
102setup = """## Setup
103
104This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
105
106Setup instructions: https://ela.st/install-elastic-defend
107
108### Additional data sources
109
110This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
111
112- [Microsoft Defender XDR](https://ela.st/m365-defender)
113- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
114- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
115"""
116
117[rule.investigation_fields]
118field_names = [
119    "@timestamp",
120    "host.id",
121    "user.id",
122    "process.entity_id",
123    "process.name",
124    "process.executable",
125    "process.command_line",
126    "process.code_signature.trusted",
127    "process.parent.entity_id",
128    "process.parent.name",
129    "process.parent.executable",
130    "process.parent.command_line",
131    "process.Ext.authentication_id",
132    "process.Ext.session_info.logon_type",
133    "process.Ext.token.integrity_level_name",
134]
135
136[transform]
137
138[[transform.investigate]]
139label = "SYSTEM browser parent process event"
140description = ""
141providers = [
142  [
143    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
145    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
146  ]
147]
148relativeFrom = "now-1h"
149relativeTo = "now"
150
151[[transform.investigate]]
152label = "Process starts from the SYSTEM browser parent"
153description = ""
154providers = [
155  [
156    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
157    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
158    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
159    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
160  ]
161]
162relativeFrom = "now-1h"
163relativeTo = "now"
164
165[[transform.investigate]]
166label = "Process starts from the launched child"
167description = ""
168providers = [
169  [
170    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
171    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
173    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
174  ]
175]
176relativeFrom = "now"
177relativeTo = "now"
178
179[[transform.investigate]]
180label = "Recent process starts with the same child executable"
181description = ""
182providers = [
183  [
184    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
185    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
186    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
187  ]
188]
189relativeFrom = "now-48h/h"
190relativeTo = "now"
191
192[[rule.threat]]
193framework = "MITRE ATT&CK"
194
195[[rule.threat.technique]]
196id = "T1068"
197name = "Exploitation for Privilege Escalation"
198reference = "https://attack.mitre.org/techniques/T1068/"
199
200[rule.threat.tactic]
201id = "TA0004"
202name = "Privilege Escalation"
203reference = "https://attack.mitre.org/tactics/TA0004/"
204
205[[rule.threat]]
206framework = "MITRE ATT&CK"
207
208[[rule.threat.technique]]
209id = "T1218"
210name = "System Binary Proxy Execution"
211reference = "https://attack.mitre.org/techniques/T1218/"
212
213[[rule.threat.technique.subtechnique]]
214id = "T1218.007"
215name = "Msiexec"
216reference = "https://attack.mitre.org/techniques/T1218/007/"
217
218[rule.threat.tactic]
219id = "TA0005"
220name = "Defense Evasion"
221reference = "https://attack.mitre.org/tactics/TA0005/"