Process Created with an Elevated Token

  1[metadata]
  2creation_date = "2022/10/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary.
 11Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Process Created with an Elevated Token"
 18references = [
 19    "https://lengjibo.github.io/token/",
 20    "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
 21]
 22risk_score = 73
 23rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Privilege Escalation",
 30    "Data Source: Elastic Defend",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37process where host.os.type == "windows" and event.action == "start" and
 38
 39 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
 40 user.id == "S-1-5-18"  and process.parent.executable != null and
 41
 42 /* Token Theft target process usually running as service are located in one of the following paths */
 43 process.Ext.effective_parent.executable : "?:\\Windows\\*.exe" and
 44
 45/* Ignores Utility Manager in Windows running in debug mode */
 46 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
 47      process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
 48
 49/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
 50not (process.parent.executable : ("?:\\Windows\\System32\\spoolsv.exe", "?:\\Windows\\System32\\PrintIsolationHost.exe") and
 51     process.executable: ("?:\\Program Files\\*.exe",
 52                          "?:\\Program Files (x86)\\*.exe",
 53                          "?:\\Windows\\System32\\spool\\drivers\\*.exe",
 54                          "?:\\Windows\\System32\\ROUTE.EXE")) and
 55
 56/* Ignores Windows error reporting executables */
 57 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
 58                           "?:\\Windows\\SysWOW64\\WerFault.exe",
 59                           "?:\\Windows\\System32\\WerFaultSecure.exe",
 60                           "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
 61                           "?:\\windows\\system32\\WerMgr.exe",
 62                           "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe")  and
 63
 64 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
 65 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
 66      process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
 67                            "?:\\Windows\\WinSxS\\*.exe",
 68                            "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
 69                            "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
 70                            "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
 71                            "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
 72                            "?:\\Windows\\System32\\lodctr.exe",
 73                            "?:\\Windows\\SysWOW64\\lodctr.exe",
 74                            "?:\\Windows\\System32\\netcfg.exe",
 75                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
 76                            "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
 77
 78/* Ignores additional parent executables that run with elevated privileges */
 79 not process.parent.executable :
 80               ("?:\\Windows\\System32\\AtBroker.exe",
 81                "?:\\Windows\\system32\\svchost.exe",
 82                "?:\\Program Files (x86)\\*.exe",
 83                "?:\\Program Files\\*.exe",
 84                "?:\\Windows\\System32\\msiexec.exe",
 85                "?:\\Windows\\System32\\DriverStore\\*",
 86                "?:\\Windows\\LTSvc\\*\\Update.exe") and
 87
 88/* Ignores Windows binaries with a trusted signature and specific signature name */
 89 not (process.code_signature.trusted == true and
 90      process.code_signature.subject_name :
 91                ("philandro Software GmbH",
 92                 "Freedom Scientific Inc.",
 93                 "TeamViewer Germany GmbH",
 94                 "Projector.is, Inc.",
 95                 "TeamViewer GmbH",
 96                 "Cisco WebEx LLC",
 97                 "Dell Inc",
 98                 "Sophos Ltd",
 99                 "Sophos Limited",
100                 "Brother Industries, Ltd.",
101                 "MILVUS INOVACOES EM SOFTWARE LTDA",
102                 "Chocolatey Software, Inc")) and
103
104 not (process.Ext.effective_parent.executable : "?:\\Windows\\servicing\\TrustedInstaller.exe" and
105      process.executable : "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe") and
106
107 not process.Ext.effective_parent.executable : "?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe"
108'''
109
110note = """## Triage and analysis
111
112### Investigating Process Created with an Elevated Token
113#### Possible investigation steps
114
115- What SYSTEM token path did the alert record?
116  - Why: CreateProcessWithTokenW-style abuse creates a process in a supplied token context, so child, OS parent, and effective parent must be interpreted together.
117  - Focus: `user.id`, `process.executable`, `process.command_line`, `process.parent.executable`, and `process.Ext.effective_parent.executable`.
118  - Implication: escalate when a payload or unusual command runs as `S-1-5-18` through a Windows effective parent without one exact recognized workflow; lower suspicion only when child, OS parent, and effective parent all bind to the same vendor, update, accessibility, or test activity.
119- Does the OS parent explain why another token was used?
120  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.parent.code_signature.subject_name`, and lineage when needed.
121  - Implication: escalate when the parent is user-writable, script-driven, remote-tool initiated, unexpectedly signed, or unrelated to the effective parent; lower suspicion when it is a stable signed helper for the same component.
122- Is the created process identity consistent with that workflow?
123  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, and `process.code_signature.subject_name`.
124  - Implication: escalate when the SYSTEM child has an unexpected signer, user-writable path, new hash, or PE-name mismatch; lower suspicion when signer, hash history, path, and parent context all fit the same component.
125- Does the token and session context explain the SYSTEM child?
126  - Why: CreateProcessWithTokenW, CreateProcessAsUserW, and runas-style abuse can look ordinary unless token/session context is compared with lineage.
127  - Focus: `process.Ext.authentication_id`, `process.Ext.session_info.logon_type`, `process.Ext.token.integrity_level_name`, `process.Ext.token.elevation_level`, and `user.id`.
128  - Implication: escalate when SYSTEM or full-integrity execution appears in a logon/session context disconnected from parent or effective parent; lower suspicion when token level and session type match the same service, update, accessibility, or test component.
129- Did the process tree show staging or immediate follow-on execution?
130  - Why: token reuse after the first child makes repeated SYSTEM children or fresh executable timing a scope-expansion trigger.
131  - Focus: same-`host.id` child process starts from `process.entity_id`; review child `process.executable`, `process.command_line`, `process.Ext.relative_file_creation_time`, and `process.Ext.relative_file_name_modify_time`. $investigate_0
132  - Hint: if hash or relative-time values are empty, scope with `process.executable`, `process.command_line`, `process.parent.executable`, and `process.Ext.effective_parent.executable`; broaden only when local evidence stays suspicious or unresolved.
133    - $investigate_1
134    - $investigate_2
135    - $investigate_3
136  - Implication: escalate when the SYSTEM child launches shells, script interpreters, security tools, freshly created or renamed executables, or the same token-creation pattern on unrelated hosts; lower suspicion when descendants and recurrence stay inside the same component pattern.
137- What disposition is supported?
138  - Escalate on conflict across child command, parent/effective-parent pair, identity, token/session, or descendants. Close only when the same signed component explains all categories on this `host.id`; preserve and escalate when any element is missing or contradictory.
139
140### False positive analysis
141
142- Treat this alert as unusual until alert-local process evidence proves one component expected to create a SYSTEM process from another token, such as an unexcluded vendor support or accessibility helper, updater/installer, print or error-reporting component, or authorized security test.
143- Confirm benign activity only when identity, parentage, token context, and scope all point to that component: `process.executable`, `process.hash.sha256`, `process.code_signature.subject_name`, `process.parent.executable`, `process.Ext.effective_parent.executable`, `user.id`, and `host.id`. A trusted signer, Windows path, or component label alone is insufficient.
144- Before adding an exception, validate that the exact child/parent/effective-parent pattern is stable for the same host or managed host group. Build from minimum stable fields, avoiding broad exceptions on `process.name`, `user.name`, or `?:\\Windows\\*.exe` alone.
145
146### Response and remediation
147
148- Preserve evidence first: export the alert, process tree, `process.entity_id`, `process.pid`, command lines, hashes, signer details, token/session fields, and any descendant process records before containment or process termination.
149- If suspicious but unconfirmed, preserve and scope first. Use reversible containment such as host isolation only when the SYSTEM child is still running, spawning descendants, or recurring beyond one validated workflow; otherwise keep the host connected for evidence collection while escalating.
150- If malicious activity is confirmed, contain the host, block or quarantine confirmed malicious hashes or executables, and suspend or terminate the SYSTEM child only after recording its identifiers and collecting needed memory or file evidence.
151- Eradicate only artifacts and configuration changes identified during investigation or incident response. Remediate the entry path that obtained or duplicated the token, and reset credentials only for accounts tied to confirmed misuse.
152- After recovery, document the confirmed benign workflow or malicious child/parent/effective-parent pattern, and keep any exception scoped to the stable fields that proved the case."""
153
154setup = """## Setup
155
156This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
157
158Setup instructions: https://ela.st/install-elastic-defend
159"""
160
161[rule.investigation_fields]
162field_names = [
163    "@timestamp",
164    "host.id",
165    "user.id",
166    "process.entity_id",
167    "process.executable",
168    "process.command_line",
169    "process.pe.original_file_name",
170    "process.hash.sha256",
171    "process.code_signature.subject_name",
172    "process.parent.executable",
173    "process.parent.command_line",
174    "process.Ext.effective_parent.executable",
175    "process.Ext.session_info.logon_type",
176    "process.Ext.token.integrity_level_name",
177    "process.Ext.authentication_id",
178]
179
180[transform]
181
182[[transform.investigate]]
183label = "Child process starts from the SYSTEM process"
184description = ""
185providers = [
186  [
187    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
190  ]
191]
192relativeFrom = "now-1h"
193relativeTo = "now"
194
195[[transform.investigate]]
196label = "Process events for the same token-creation pattern"
197description = ""
198providers = [
199  [
200    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
201    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" },
202    { excluded = false, field = "process.parent.executable", queryType = "phrase", value = "{{process.parent.executable}}", valueType = "string" },
203    { excluded = false, field = "process.Ext.effective_parent.executable", queryType = "phrase", value = "{{process.Ext.effective_parent.executable}}", valueType = "string" }
204  ]
205]
206relativeFrom = "now-48h/h"
207relativeTo = "now"
208
209[[transform.investigate]]
210label = "Alerts associated with the host"
211description = ""
212providers = [
213  [
214    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
215    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
216  ]
217]
218relativeFrom = "now-48h/h"
219relativeTo = "now"
220
221[[transform.investigate]]
222label = "Alerts associated with the user"
223description = ""
224providers = [
225  [
226    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
227    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
228  ]
229]
230relativeFrom = "now-48h/h"
231relativeTo = "now"
232
233[[rule.threat]]
234framework = "MITRE ATT&CK"
235
236[[rule.threat.technique]]
237id = "T1134"
238name = "Access Token Manipulation"
239reference = "https://attack.mitre.org/techniques/T1134/"
240
241[[rule.threat.technique.subtechnique]]
242id = "T1134.002"
243name = "Create Process with Token"
244reference = "https://attack.mitre.org/techniques/T1134/002/"
245
246[rule.threat.tactic]
247id = "TA0004"
248name = "Privilege Escalation"
249reference = "https://attack.mitre.org/tactics/TA0004/"