Process Created with an Elevated Token

calendarMar 8, 2023  ·
Share on: linkedincopy

Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable"
  6min_stack_version = "8.4.0"
  7updated_date = "2023/03/07"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
 13may create a new process with a different token to escalate privileges and bypass access controls.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Process Created with an Elevated Token"
 20references = [
 21    "https://lengjibo.github.io/token/",
 22    "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
 23]
 24risk_score = 73
 25rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
 26severity = "high"
 27tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
 28timestamp_override = "event.ingested"
 29type = "eql"
 30
 31query = '''
 32/* This rule is only compatible with Elastic Endpoint 8.4+ */
 33
 34process where host.os.type == "windows" and event.action == "start" and
 35
 36 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
 37 user.id : "S-1-5-18"  and
 38
 39 /* Token Theft target process usually running as service are located in one of the following paths */
 40 process.Ext.effective_parent.executable :
 41                ("?:\\Windows\\*.exe",
 42                 "?:\\Program Files\\*.exe",
 43                 "?:\\Program Files (x86)\\*.exe",
 44                 "?:\\ProgramData\\*") and
 45
 46/* Ignores Utility Manager in Windows running in debug mode */
 47 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 48      process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
 49
 50/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
 51not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
 52     process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and 
 53
 54/* Ignores Windows error reporting executables */
 55 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 56                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 57                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 58                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 59                           "?:\\windows\\system32\\WerMgr.exe",
 60                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe")  and
 61
 62 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
 63 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
 64      process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
 65                            "?:\\Windows\\WinSxS\\*.exe",
 66                            "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
 67                            "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
 68                            "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
 69                            "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
 70                            "?:\\Windows\\System32\\lodctr.exe",
 71                            "?:\\Windows\\SysWOW64\\lodctr.exe",
 72                            "?:\\Windows\\System32\\netcfg.exe",
 73                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
 74                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
 75
 76
 77/* Ignores additional parent executables that run with elevated privileges */
 78 not process.parent.executable : 
 79               ("?:\\Windows\\System32\\AtBroker.exe", 
 80                "?:\\Windows\\system32\\svchost.exe", 
 81                "?:\\Program Files (x86)\\*.exe", 
 82                "?:\\Program Files\\*.exe", 
 83                "?:\\Windows\\System32\\msiexec.exe",
 84                "?:\\Windows\\System32\\DriverStore\\*") and
 85
 86/* Ignores Windows binaries with a trusted signature and specific signature name */
 87 not (process.code_signature.trusted == true and
 88      process.code_signature.subject_name : 
 89                ("philandro Software GmbH", 
 90                 "Freedom Scientific Inc.", 
 91                 "TeamViewer Germany GmbH", 
 92                 "Projector.is, Inc.", 
 93                 "TeamViewer GmbH", 
 94                 "Cisco WebEx LLC", 
 95                 "Dell Inc"))
 96'''
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1134"
103name = "Access Token Manipulation"
104reference = "https://attack.mitre.org/techniques/T1134/"
105[[rule.threat.technique.subtechnique]]
106id = "T1134.002"
107name = "Create Process with Token"
108reference = "https://attack.mitre.org/techniques/T1134/002/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"

to-top