Process Created with an Elevated Token

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
 11may create a new process with a different token to escalate privileges and bypass access controls.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Process Created with an Elevated Token"
 18references = [
 19    "https://lengjibo.github.io/token/",
 20    "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
 21]
 22risk_score = 73
 23rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Privilege Escalation",
 30    "Data Source: Elastic Defend",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37/* This rule is only compatible with Elastic Endpoint 8.4+ */
 38
 39process where host.os.type == "windows" and event.action == "start" and
 40
 41 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
 42 user.id : "S-1-5-18"  and
 43
 44 /* Token Theft target process usually running as service are located in one of the following paths */
 45 process.Ext.effective_parent.executable :
 46                ("?:\\Windows\\*.exe",
 47                 "?:\\Program Files\\*.exe",
 48                 "?:\\Program Files (x86)\\*.exe",
 49                 "?:\\ProgramData\\*") and
 50
 51/* Ignores Utility Manager in Windows running in debug mode */
 52 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 53      process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
 54
 55/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
 56not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
 57     process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and
 58
 59/* Ignores Windows error reporting executables */
 60 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 61                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 62                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 63                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 64                           "?:\\windows\\system32\\WerMgr.exe",
 65                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe")  and
 66
 67 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
 68 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
 69      process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
 70                            "?:\\Windows\\WinSxS\\*.exe",
 71                            "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
 72                            "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
 73                            "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
 74                            "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
 75                            "?:\\Windows\\System32\\lodctr.exe",
 76                            "?:\\Windows\\SysWOW64\\lodctr.exe",
 77                            "?:\\Windows\\System32\\netcfg.exe",
 78                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
 79                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
 80
 81
 82/* Ignores additional parent executables that run with elevated privileges */
 83 not process.parent.executable :
 84               ("?:\\Windows\\System32\\AtBroker.exe",
 85                "?:\\Windows\\system32\\svchost.exe",
 86                "?:\\Program Files (x86)\\*.exe",
 87                "?:\\Program Files\\*.exe",
 88                "?:\\Windows\\System32\\msiexec.exe",
 89                "?:\\Windows\\System32\\DriverStore\\*") and
 90
 91/* Ignores Windows binaries with a trusted signature and specific signature name */
 92 not (process.code_signature.trusted == true and
 93      process.code_signature.subject_name :
 94                ("philandro Software GmbH",
 95                 "Freedom Scientific Inc.",
 96                 "TeamViewer Germany GmbH",
 97                 "Projector.is, Inc.",
 98                 "TeamViewer GmbH",
 99                 "Cisco WebEx LLC",
100                 "Dell Inc"))
101'''
102note = """## Triage and analysis
103
104> **Disclaimer**:
105> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
106
107### Investigating Process Created with an Elevated Token
108
109In Windows environments, processes can be created with elevated tokens to perform tasks requiring higher privileges. Adversaries exploit this by impersonating system-level binaries to escalate privileges and bypass security controls. The detection rule identifies such activities by monitoring process creation events, focusing on those initiated by privileged binaries and excluding known benign processes. This helps in identifying unauthorized privilege escalation attempts.
110
111### Possible investigation steps
112
113- Review the process creation event details to identify the specific executable and its parent process, focusing on the fields process.executable and process.Ext.effective_parent.executable.
114- Check the user.id field to confirm if the process was created with the SYSTEM user ID (S-1-5-18), indicating elevated privileges.
115- Investigate the parent process executable path to determine if it matches any known privileged Microsoft native binaries, which could be targets for token theft.
116- Examine the process code signature details, especially process.code_signature.trusted and process.code_signature.subject_name, to verify if the executable is signed by a trusted entity or if it matches any excluded signatures.
117- Correlate the process creation event with other security logs and alerts to identify any related suspicious activities or patterns that might indicate privilege escalation attempts.
118- Assess the context and timing of the event to determine if it aligns with legitimate administrative tasks or if it appears anomalous in the environment.
119
120### False positive analysis
121
122- Utility Manager in Windows running in debug mode can trigger false positives. To handle this, exclude processes where both the effective parent and parent executables are Utilman.exe with the /debug argument.
123- Windows print spooler service correlated with Access Intelligent Form may cause false alerts. Exclude processes where the parent executable is spoolsv.exe and the process executable is LaunchCreate.exe under Access Intelligent Form.
124- Windows error reporting executables like WerFault.exe can be mistakenly flagged. Exclude these specific executables from the rule to prevent unnecessary alerts.
125- Windows updates initiated by TiWorker.exe running with elevated privileges can be misidentified. Exclude processes where TiWorker.exe is the parent and the process executable matches known update-related paths.
126- Additional parent executables that typically run with elevated privileges, such as AtBroker.exe and svchost.exe, can lead to false positives. Exclude these parent executables from the rule to reduce noise.
127- Trusted Windows binaries with specific signature names, such as those from TeamViewer or Cisco WebEx, may be incorrectly flagged. Exclude processes with a trusted code signature and matching subject names to avoid false alerts.
128
129### Response and remediation
130
131- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
132- Terminate any suspicious processes identified by the detection rule that are running with elevated privileges, especially those not matching known benign processes.
133- Conduct a thorough review of user accounts and privileges on the affected system to identify and disable any unauthorized accounts or privilege escalations.
134- Restore the affected system from a known good backup to ensure any malicious changes are reverted, and verify the integrity of the system post-restoration.
135- Implement additional monitoring on the affected system and network to detect any further attempts at privilege escalation or token manipulation.
136- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.
137- Review and update endpoint protection and detection capabilities to ensure they are configured to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on Access Token Manipulation (T1134)."""
138
139
140[[rule.threat]]
141framework = "MITRE ATT&CK"
142[[rule.threat.technique]]
143id = "T1134"
144name = "Access Token Manipulation"
145reference = "https://attack.mitre.org/techniques/T1134/"
146[[rule.threat.technique.subtechnique]]
147id = "T1134.002"
148name = "Create Process with Token"
149reference = "https://attack.mitre.org/techniques/T1134/002/"
150
151
152
153[rule.threat.tactic]
154id = "TA0004"
155name = "Privilege Escalation"
156reference = "https://attack.mitre.org/tactics/TA0004/"