Process Created with an Elevated Token
Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/20"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable"
6min_stack_version = "8.4.0"
7updated_date = "2023/03/07"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
13may create a new process with a different token to escalate privileges and bypass access controls.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Process Created with an Elevated Token"
20references = [
21 "https://lengjibo.github.io/token/",
22 "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
23]
24risk_score = 73
25rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
26severity = "high"
27tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32/* This rule is only compatible with Elastic Endpoint 8.4+ */
33
34process where host.os.type == "windows" and event.action == "start" and
35
36 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
37 user.id : "S-1-5-18" and
38
39 /* Token Theft target process usually running as service are located in one of the following paths */
40 process.Ext.effective_parent.executable :
41 ("?:\\Windows\\*.exe",
42 "?:\\Program Files\\*.exe",
43 "?:\\Program Files (x86)\\*.exe",
44 "?:\\ProgramData\\*") and
45
46/* Ignores Utility Manager in Windows running in debug mode */
47 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
48 process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
49
50/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
51not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
52 process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and
53
54/* Ignores Windows error reporting executables */
55 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
56 "?:\\Windows\\SysWOW64\\WerFault.exe",
57 "?:\\Windows\\System32\\WerFaultSecure.exe",
58 "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
59 "?:\\windows\\system32\\WerMgr.exe",
60 "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
61
62 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
63 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
64 process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
65 "?:\\Windows\\WinSxS\\*.exe",
66 "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
67 "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
68 "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
69 "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
70 "?:\\Windows\\System32\\lodctr.exe",
71 "?:\\Windows\\SysWOW64\\lodctr.exe",
72 "?:\\Windows\\System32\\netcfg.exe",
73 "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
74 "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
75
76
77/* Ignores additional parent executables that run with elevated privileges */
78 not process.parent.executable :
79 ("?:\\Windows\\System32\\AtBroker.exe",
80 "?:\\Windows\\system32\\svchost.exe",
81 "?:\\Program Files (x86)\\*.exe",
82 "?:\\Program Files\\*.exe",
83 "?:\\Windows\\System32\\msiexec.exe",
84 "?:\\Windows\\System32\\DriverStore\\*") and
85
86/* Ignores Windows binaries with a trusted signature and specific signature name */
87 not (process.code_signature.trusted == true and
88 process.code_signature.subject_name :
89 ("philandro Software GmbH",
90 "Freedom Scientific Inc.",
91 "TeamViewer Germany GmbH",
92 "Projector.is, Inc.",
93 "TeamViewer GmbH",
94 "Cisco WebEx LLC",
95 "Dell Inc"))
96'''
97
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1134"
103name = "Access Token Manipulation"
104reference = "https://attack.mitre.org/techniques/T1134/"
105[[rule.threat.technique.subtechnique]]
106id = "T1134.002"
107name = "Create Process with Token"
108reference = "https://attack.mitre.org/techniques/T1134/002/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"