First Time Seen NewCredentials Logon Process
Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/15"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
6min_stack_version = "8.4.0"
7updated_date = "2024/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token
13forging capability that are often abused to bypass access control restrictions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Time Seen NewCredentials Logon Process"
20risk_score = 47
21rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d"
22severity = "medium"
23references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"]
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
25timestamp_override = "event.ingested"
26type = "new_terms"
27
28query = '''
29event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files*
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1134"
37name = "Access Token Manipulation"
38reference = "https://attack.mitre.org/techniques/T1134/"
39[[rule.threat.technique.subtechnique]]
40id = "T1134.001"
41name = "Token Impersonation/Theft"
42reference = "https://attack.mitre.org/techniques/T1134/001/"
43
44
45[rule.threat.tactic]
46id = "TA0004"
47name = "Privilege Escalation"
48reference = "https://attack.mitre.org/tactics/TA0004/"
49
50
51[rule.new_terms]
52field = "new_terms_fields"
53value = ["process.executable"]
54[[rule.new_terms.history_window_start]]
55field = "history_window_start"
56value = "now-7d"
References
-
This blog teaches security practitioners how attackers abuse legitimate Windows functionalities to move laterally and compromise Active Directory domains....
Read More
Related rules
- Unusual Windows User Privilege Elevation Activity
- Remote Computer Account DnsHostName Update
- Service Creation via Local Kerberos Authentication
- Remote Scheduled Task Creation via RPC
- Suspicious File Downloaded from Google Drive