Process Created with an Elevated Token
Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/20"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
11may create a new process with a different token to escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Process Created with an Elevated Token"
18references = [
19 "https://lengjibo.github.io/token/",
20 "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw",
21]
22risk_score = 73
23rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb"
24severity = "high"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Privilege Escalation",
30 "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36/* This rule is only compatible with Elastic Endpoint 8.4+ */
37
38process where host.os.type == "windows" and event.action == "start" and
39
40 /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
41 user.id : "S-1-5-18" and
42
43 /* Token Theft target process usually running as service are located in one of the following paths */
44 process.Ext.effective_parent.executable :
45 ("?:\\Windows\\*.exe",
46 "?:\\Program Files\\*.exe",
47 "?:\\Program Files (x86)\\*.exe",
48 "?:\\ProgramData\\*") and
49
50/* Ignores Utility Manager in Windows running in debug mode */
51 not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
52 process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
53
54/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
55not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
56 process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and
57
58/* Ignores Windows error reporting executables */
59 not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
60 "?:\\Windows\\SysWOW64\\WerFault.exe",
61 "?:\\Windows\\System32\\WerFaultSecure.exe",
62 "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
63 "?:\\windows\\system32\\WerMgr.exe",
64 "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
65
66 /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
67 not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
68 process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
69 "?:\\Windows\\WinSxS\\*.exe",
70 "?:\\Windows\\System32\\inetsrv\\iissetup.exe",
71 "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
72 "?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
73 "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
74 "?:\\Windows\\System32\\lodctr.exe",
75 "?:\\Windows\\SysWOW64\\lodctr.exe",
76 "?:\\Windows\\System32\\netcfg.exe",
77 "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
78 "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
79
80
81/* Ignores additional parent executables that run with elevated privileges */
82 not process.parent.executable :
83 ("?:\\Windows\\System32\\AtBroker.exe",
84 "?:\\Windows\\system32\\svchost.exe",
85 "?:\\Program Files (x86)\\*.exe",
86 "?:\\Program Files\\*.exe",
87 "?:\\Windows\\System32\\msiexec.exe",
88 "?:\\Windows\\System32\\DriverStore\\*") and
89
90/* Ignores Windows binaries with a trusted signature and specific signature name */
91 not (process.code_signature.trusted == true and
92 process.code_signature.subject_name :
93 ("philandro Software GmbH",
94 "Freedom Scientific Inc.",
95 "TeamViewer Germany GmbH",
96 "Projector.is, Inc.",
97 "TeamViewer GmbH",
98 "Cisco WebEx LLC",
99 "Dell Inc"))
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1134"
107name = "Access Token Manipulation"
108reference = "https://attack.mitre.org/techniques/T1134/"
109[[rule.threat.technique.subtechnique]]
110id = "T1134.002"
111name = "Create Process with Token"
112reference = "https://attack.mitre.org/techniques/T1134/002/"
113
114
115
116[rule.threat.tactic]
117id = "TA0004"
118name = "Privilege Escalation"
119reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Account Discovery Command via SYSTEM Account
- Expired or Revoked Driver Loaded
- First Time Seen Driver Loaded
- Potential Privilege Escalation via InstallerFileTakeOver
- Privileges Elevation via Parent Process PID Spoofing