Privilege Escalation via Windir Environment Variable

  1[metadata]
  2creation_date = "2020/11/26"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known
 11primitive that is often combined with other vulnerabilities to elevate privileges.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.registry-*",
 16    "endgame-*",
 17    "logs-windows.sysmon_operational-*",
 18    "winlogbeat-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Privilege Escalation via Windir Environment Variable"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Privilege Escalation via Windir Environment Variable
 31
 32The Windir environment variable points to the Windows directory, crucial for system operations. Adversaries may alter this variable to redirect processes to malicious directories, gaining elevated privileges. The detection rule monitors changes to this variable in the registry, flagging deviations from expected paths like "C:\\windows," thus identifying potential privilege escalation attempts.
 33
 34### Possible investigation steps
 35
 36- Review the registry change event details to identify the specific user account associated with the altered Windir or SystemRoot environment variable. This can be done by examining the registry path and user context in the event data.
 37- Check the registry data strings to determine the new path set for the Windir or SystemRoot variable. Investigate if this path points to a known malicious directory or an unexpected location.
 38- Correlate the event with other recent registry changes or system events on the same host to identify any patterns or additional suspicious activities that might indicate a broader attack.
 39- Investigate the process or application that initiated the registry change by reviewing process creation logs or command-line arguments around the time of the event. This can help identify the source of the change.
 40- Assess the affected system for any signs of compromise or unauthorized access, such as unusual network connections, unexpected running processes, or new user accounts.
 41- Consult threat intelligence sources to determine if the observed behavior matches any known attack patterns or campaigns, particularly those involving privilege escalation techniques.
 42- If possible, restore the Windir or SystemRoot environment variable to its expected value and monitor the system for any further unauthorized changes.
 43
 44### False positive analysis
 45
 46- System updates or patches may temporarily alter the Windir environment variable. Monitor for these events during known maintenance windows and consider excluding them from alerts.
 47- Custom scripts or applications that modify environment variables for legitimate purposes can trigger false positives. Identify these scripts and whitelist their activity in the detection rule.
 48- User profile migrations or system restorations might change the Windir path. Exclude these operations if they are part of routine IT processes.
 49- Virtual environments or sandboxed applications may use different Windir paths. Verify these environments and adjust the detection rule to accommodate their specific configurations.
 50- Administrative tools that modify user environments for configuration management can cause alerts. Document these tools and create exceptions for their expected behavior.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 55- Revert the Windir environment variable to its legitimate value, typically "C:\\windows", to restore normal system operations.
 56- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software or scripts.
 57- Review recent user activity and system logs to identify any unauthorized access or changes, focusing on the time frame around the detected registry change.
 58- Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges.
 59- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 60- Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities."""
 61references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"]
 62risk_score = 73
 63rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6"
 64severity = "high"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Privilege Escalation",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81registry where host.os.type == "windows" and event.type == "change" and
 82registry.value : ("windir", "systemroot") and
 83registry.path : (
 84    "HKEY_USERS\\*\\Environment\\windir",
 85    "HKEY_USERS\\*\\Environment\\systemroot",
 86    "HKU\\*\\Environment\\windir",
 87    "HKU\\*\\Environment\\systemroot",
 88    "HKCU\\*\\Environment\\windir",
 89    "HKCU\\*\\Environment\\systemroot",
 90    "\\REGISTRY\\USER\\*\\Environment\\windir",
 91    "\\REGISTRY\\USER\\*\\Environment\\systemroot",
 92    "USER\\*\\Environment\\windir",
 93    "USER\\*\\Environment\\systemroot"
 94    ) and
 95 not registry.data.strings : ("C:\\windows", "%SystemRoot%")
 96'''
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1574"
103name = "Hijack Execution Flow"
104reference = "https://attack.mitre.org/techniques/T1574/"
105[[rule.threat.technique.subtechnique]]
106id = "T1574.007"
107name = "Path Interception by PATH Environment Variable"
108reference = "https://attack.mitre.org/techniques/T1574/007/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"