Process Created with an Elevated Token

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
 11may create a new process with a different token to escalate privileges and bypass access controls.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Process Created with an Elevated Token"
 18references = [
 19    "https://lengjibo.github.io/token/",
 20    "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
 21]
 22risk_score = 73
 23rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Privilege Escalation",
 30    "Data Source: Elastic Defend",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36/* This rule is only compatible with Elastic Endpoint 8.4+ */
 37
 38process where host.os.type == "windows" and event.action == "start" and
 39
 40 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
 41 user.id : "S-1-5-18"  and
 42
 43 /* Token Theft target process usually running as service are located in one of the following paths */
 44 process.Ext.effective_parent.executable :
 45                ("?:\\Windows\\*.exe",
 46                 "?:\\Program Files\\*.exe",
 47                 "?:\\Program Files (x86)\\*.exe",
 48                 "?:\\ProgramData\\*") and
 49
 50/* Ignores Utility Manager in Windows running in debug mode */
 51 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 52      process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
 53
 54/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
 55not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
 56     process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and 
 57
 58/* Ignores Windows error reporting executables */
 59 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 60                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 61                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 62                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 63                           "?:\\windows\\system32\\WerMgr.exe",
 64                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe")  and
 65
 66 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
 67 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
 68      process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
 69                            "?:\\Windows\\WinSxS\\*.exe",
 70                            "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
 71                            "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
 72                            "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
 73                            "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
 74                            "?:\\Windows\\System32\\lodctr.exe",
 75                            "?:\\Windows\\SysWOW64\\lodctr.exe",
 76                            "?:\\Windows\\System32\\netcfg.exe",
 77                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
 78                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
 79
 80
 81/* Ignores additional parent executables that run with elevated privileges */
 82 not process.parent.executable : 
 83               ("?:\\Windows\\System32\\AtBroker.exe", 
 84                "?:\\Windows\\system32\\svchost.exe", 
 85                "?:\\Program Files (x86)\\*.exe", 
 86                "?:\\Program Files\\*.exe", 
 87                "?:\\Windows\\System32\\msiexec.exe",
 88                "?:\\Windows\\System32\\DriverStore\\*") and
 89
 90/* Ignores Windows binaries with a trusted signature and specific signature name */
 91 not (process.code_signature.trusted == true and
 92      process.code_signature.subject_name : 
 93                ("philandro Software GmbH", 
 94                 "Freedom Scientific Inc.", 
 95                 "TeamViewer Germany GmbH", 
 96                 "Projector.is, Inc.", 
 97                 "TeamViewer GmbH", 
 98                 "Cisco WebEx LLC", 
 99                 "Dell Inc"))
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1134"
107name = "Access Token Manipulation"
108reference = "https://attack.mitre.org/techniques/T1134/"
109[[rule.threat.technique.subtechnique]]
110id = "T1134.002"
111name = "Create Process with Token"
112reference = "https://attack.mitre.org/techniques/T1134/002/"
113
114
115
116[rule.threat.tactic]
117id = "TA0004"
118name = "Privilege Escalation"
119reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top