diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml new file mode 100644 index 000000000..f965def16 --- /dev/null +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2023/10/02" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" +min_stack_version = "8.4.0" +updated_date = "2023/10/02" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new +process with a different token to escalate privileges and bypass access controls. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Process Created with a Duplicated Token" +references = [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", +] +risk_score = 47 +rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +/* This rule is only compatible with Elastic Endpoint 8.4+ */ + +process where host.os.type == "windows" and event.action == "start" and + + user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + (process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or + process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and + + ( + process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe", + "tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or + + ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and + not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and + not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) + ) and + not (process.name : "rundll32.exe" and + process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*", + "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*", + "*shell32.dll,SHCreateLocalServerRunDll*")) and + not startswith~(process.Ext.effective_parent.name, process.parent.name) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"