Privilege Escalation via Rogue Named Pipe Impersonation
Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/13"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
11masquerading as a known named pipe and manipulating a privileged process to connect to it.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Privilege Escalation via Rogue Named Pipe Impersonation"
18references = [
19 "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
20 "https://github.com/zcgonvh/EfsPotato",
21 "https://twitter.com/SBousseaden/status/1429530155291193354",
22]
23risk_score = 73
24rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
25setup = """## Setup
26
27Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
28`condition equal "contains" and keyword equal "pipe"`
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "high"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Privilege Escalation",
42 "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48file where host.os.type == "windows" and event.action : "Pipe Created*" and
49 /* normal sysmon named pipe creation events truncate the pipe keyword */
50 file.name : "\\*\\Pipe\\*"
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1134"
58name = "Access Token Manipulation"
59reference = "https://attack.mitre.org/techniques/T1134/"
60
61
62[rule.threat.tactic]
63id = "TA0004"
64name = "Privilege Escalation"
65reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Over the last few years, tools such as RottenPotato, RottenPotatoNG or Juicy Potato have made the exploitation of impersonation privileges on Windows very popular among the offensive security community. Though, recent changes to the operating system have intentionally or unintentionally reduced the power of these techniques on Windows 10 and Server 2016/2019. Today, I want to introduce a new tool that will allow pentesters to easily leverage these privileges again.
Read More -
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). - zcgonvh/EfsPotato
Read More
Related rules
- Account Discovery Command via SYSTEM Account
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Persistence via PowerShell profile
- Potential Persistence via Time Provider Modification