First Time Seen NewCredentials Logon Process
Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/15"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access
11token forging capability that are often abused to bypass access control restrictions.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "First Time Seen NewCredentials Logon Process"
18references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"]
19risk_score = 47
20rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d"
21severity = "medium"
22tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
23timestamp_override = "event.ingested"
24type = "new_terms"
25
26query = '''
27event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files*
28'''
29
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1134"
35name = "Access Token Manipulation"
36reference = "https://attack.mitre.org/techniques/T1134/"
37[[rule.threat.technique.subtechnique]]
38id = "T1134.001"
39name = "Token Impersonation/Theft"
40reference = "https://attack.mitre.org/techniques/T1134/001/"
41
42
43
44[rule.threat.tactic]
45id = "TA0004"
46name = "Privilege Escalation"
47reference = "https://attack.mitre.org/tactics/TA0004/"
48
49[rule.new_terms]
50field = "new_terms_fields"
51value = ["process.executable"]
52[[rule.new_terms.history_window_start]]
53field = "history_window_start"
54value = "now-7d"
References
Related rules
- Account Discovery Command via SYSTEM Account
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Expired or Revoked Driver Loaded