Privilege Escalation via Rogue Named Pipe Impersonation
Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/13"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
13masquerading as a known named pipe and manipulating a privileged process to connect to it.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Privilege Escalation via Rogue Named Pipe Impersonation"
20references = [
21 "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
22 "https://github.com/zcgonvh/EfsPotato",
23 "https://twitter.com/SBousseaden/status/1429530155291193354",
24]
25risk_score = 73
26rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
27setup = """## Setup
28
29Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
30`condition equal "contains" and keyword equal "pipe"`
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "high"
39tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44file where host.os.type == "windows" and event.action : "Pipe Created*" and
45 /* normal sysmon named pipe creation events truncate the pipe keyword */
46 file.name : "\\*\\Pipe\\*"
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1134"
54name = "Access Token Manipulation"
55reference = "https://attack.mitre.org/techniques/T1134/"
56
57
58[rule.threat.tactic]
59id = "TA0004"
60name = "Privilege Escalation"
61reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Over the last few years, tools such as RottenPotato, RottenPotatoNG or Juicy Potato have made the exploitation of impersonation privileges on Windows very popular among the offensive security community. Though, recent changes to the operating system have intentionally or unintentionally reduced the power of these techniques on Windows 10 and Server 2016/2019. Today, I want to introduce a new tool that will allow pentesters to easily leverage these privileges again.
Read More -
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). - zcgonvh/EfsPotato
Read More -
Related rules
- Process Injection by the Microsoft Build Engine
- File Creation Time Changed
- MS Office Macro Security Registry Modifications
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump