Privilege Escalation via Rogue Named Pipe Impersonation
Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/13"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
13masquerading as a known named pipe and manipulating a privileged process to connect to it.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Privilege Escalation via Rogue Named Pipe Impersonation"
20references = [
21 "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
22 "https://github.com/zcgonvh/EfsPotato",
23 "https://twitter.com/SBousseaden/status/1429530155291193354",
24]
25risk_score = 73
26rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
27setup = """## Setup
28
29Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
30`condition equal "contains" and keyword equal "pipe"`
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "high"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Privilege Escalation",
44 "Data Source: Sysmon",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50file where host.os.type == "windows" and event.action : "Pipe Created*" and
51 /* normal sysmon named pipe creation events truncate the pipe keyword */
52 file.name : "\\*\\Pipe\\*"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1134"
60name = "Access Token Manipulation"
61reference = "https://attack.mitre.org/techniques/T1134/"
62
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Over the last few years, tools such as RottenPotato, RottenPotatoNG or Juicy Potato have made the exploitation of impersonation privileges on Windows very popular among the offensive security community. Though, recent changes to the operating system have intentionally or unintentionally reduced the power of these techniques on Windows 10 and Server 2016/2019. Today, I want to introduce a new tool that will allow pentesters to easily leverage these privileges again.
Read More -
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). - zcgonvh/EfsPotato
Read More
Related rules
- Account Discovery Command via SYSTEM Account
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification
- Persistence via PowerShell profile