Privilege Escalation via Windir Environment Variable

  1[metadata]
  2creation_date = "2020/11/26"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known
 13primitive that is often combined with other vulnerabilities to elevate privileges.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Privilege Escalation via Windir Environment Variable"
 20references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"]
 21risk_score = 73
 22rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6"
 23severity = "high"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Privilege Escalation",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Elastic Defend",
 31    "Data Source: Sysmon",
 32    "Data Source: Microsoft Defender for Endpoint",
 33    "Data Source: SentinelOne",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40registry where host.os.type == "windows" and event.type == "change" and
 41registry.value : ("windir", "systemroot") and
 42registry.path : (
 43    "HKEY_USERS\\*\\Environment\\windir",
 44    "HKEY_USERS\\*\\Environment\\systemroot",
 45    "HKU\\*\\Environment\\windir",
 46    "HKU\\*\\Environment\\systemroot",
 47    "HKCU\\*\\Environment\\windir",
 48    "HKCU\\*\\Environment\\systemroot",
 49    "\\REGISTRY\\USER\\*\\Environment\\windir",
 50    "\\REGISTRY\\USER\\*\\Environment\\systemroot",
 51    "USER\\*\\Environment\\windir",
 52    "USER\\*\\Environment\\systemroot"
 53    ) and
 54 not registry.data.strings : ("C:\\windows", "%SystemRoot%")
 55'''
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Privilege Escalation via Windir Environment Variable
 62
 63The Windir environment variable points to the Windows directory, crucial for system operations. Adversaries may alter this variable to redirect processes to malicious directories, gaining elevated privileges. The detection rule monitors changes to this variable in the registry, flagging deviations from expected paths like "C:\\windows," thus identifying potential privilege escalation attempts.
 64
 65### Possible investigation steps
 66
 67- Review the registry change event details to identify the specific user account associated with the altered Windir or SystemRoot environment variable. This can be done by examining the registry path and user context in the event data.
 68- Check the registry data strings to determine the new path set for the Windir or SystemRoot variable. Investigate if this path points to a known malicious directory or an unexpected location.
 69- Correlate the event with other recent registry changes or system events on the same host to identify any patterns or additional suspicious activities that might indicate a broader attack.
 70- Investigate the process or application that initiated the registry change by reviewing process creation logs or command-line arguments around the time of the event. This can help identify the source of the change.
 71- Assess the affected system for any signs of compromise or unauthorized access, such as unusual network connections, unexpected running processes, or new user accounts.
 72- Consult threat intelligence sources to determine if the observed behavior matches any known attack patterns or campaigns, particularly those involving privilege escalation techniques.
 73- If possible, restore the Windir or SystemRoot environment variable to its expected value and monitor the system for any further unauthorized changes.
 74
 75### False positive analysis
 76
 77- System updates or patches may temporarily alter the Windir environment variable. Monitor for these events during known maintenance windows and consider excluding them from alerts.
 78- Custom scripts or applications that modify environment variables for legitimate purposes can trigger false positives. Identify these scripts and whitelist their activity in the detection rule.
 79- User profile migrations or system restorations might change the Windir path. Exclude these operations if they are part of routine IT processes.
 80- Virtual environments or sandboxed applications may use different Windir paths. Verify these environments and adjust the detection rule to accommodate their specific configurations.
 81- Administrative tools that modify user environments for configuration management can cause alerts. Document these tools and create exceptions for their expected behavior.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 86- Revert the Windir environment variable to its legitimate value, typically "C:\\windows", to restore normal system operations.
 87- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software or scripts.
 88- Review recent user activity and system logs to identify any unauthorized access or changes, focusing on the time frame around the detected registry change.
 89- Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 91- Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1574"
 98name = "Hijack Execution Flow"
 99reference = "https://attack.mitre.org/techniques/T1574/"
100[[rule.threat.technique.subtechnique]]
101id = "T1574.007"
102name = "Path Interception by PATH Environment Variable"
103reference = "https://attack.mitre.org/techniques/T1574/007/"
104
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"