Privilege Escalation via Windir Environment Variable
Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/26"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known
13primitive that is often combined with other vulnerabilities to elevate privileges.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Privilege Escalation via Windir Environment Variable"
20references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"]
21risk_score = 73
22rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6"
23severity = "high"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Privilege Escalation",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Sysmon",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: SentinelOne",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.type == "change" and
40registry.value : ("windir", "systemroot") and
41registry.path : (
42 "HKEY_USERS\\*\\Environment\\windir",
43 "HKEY_USERS\\*\\Environment\\systemroot",
44 "HKU\\*\\Environment\\windir",
45 "HKU\\*\\Environment\\systemroot",
46 "HKCU\\*\\Environment\\windir",
47 "HKCU\\*\\Environment\\systemroot",
48 "\\REGISTRY\\USER\\*\\Environment\\windir",
49 "\\REGISTRY\\USER\\*\\Environment\\systemroot",
50 "USER\\*\\Environment\\windir",
51 "USER\\*\\Environment\\systemroot"
52 ) and
53 not registry.data.strings : ("C:\\windows", "%SystemRoot%")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1574"
61name = "Hijack Execution Flow"
62reference = "https://attack.mitre.org/techniques/T1574/"
63[[rule.threat.technique.subtechnique]]
64id = "T1574.007"
65name = "Path Interception by PATH Environment Variable"
66reference = "https://attack.mitre.org/techniques/T1574/007/"
67
68
69
70[rule.threat.tactic]
71id = "TA0004"
72name = "Privilege Escalation"
73reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
The Windows Task Scheduler is a great place to go and find privilege escalations, it's typically abused to add SUID style capabilities to Wi...
Read More
Related rules
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification
- Persistence via PowerShell profile
- Potential Exploitation of an Unquoted Service Path Vulnerability