First Time Seen NewCredentials Logon Process
Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/15"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access
13token forging capability that are often abused to bypass access control restrictions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Time Seen NewCredentials Logon Process"
20references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"]
21risk_score = 47
22rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"]
25timestamp_override = "event.ingested"
26type = "new_terms"
27
28query = '''
29event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files*
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1134"
37name = "Access Token Manipulation"
38reference = "https://attack.mitre.org/techniques/T1134/"
39[[rule.threat.technique.subtechnique]]
40id = "T1134.001"
41name = "Token Impersonation/Theft"
42reference = "https://attack.mitre.org/techniques/T1134/001/"
43
44
45
46[rule.threat.tactic]
47id = "TA0004"
48name = "Privilege Escalation"
49reference = "https://attack.mitre.org/tactics/TA0004/"
50
51[rule.new_terms]
52field = "new_terms_fields"
53value = ["process.executable"]
54[[rule.new_terms.history_window_start]]
55field = "history_window_start"
56value = "now-7d"
References
-
This blog teaches security practitioners how attackers abuse legitimate Windows functionalities to move laterally and compromise Active Directory domains....
Read More
Related rules
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Modification of the msPKIAccountCredentials
- Access to a Sensitive LDAP Attribute
- Group Policy Abuse for Privilege Addition