security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544)

Browse Source 
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_via_rogue_named_pipe.toml

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-12-08 11:21:04 +01:00
committed by GitHub
parent e3b76b7cf7
commit 434e2d0426
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_via_rogue_named_pipe.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2021/10/13"
maturity = "production"
updated_date = "2021/10/13"
[rule]
author = ["Elastic"]
description = """
Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
masquerading as a known named pipe and manipulating a privileged process to connect to it.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Privilege Escalation via Rogue Named Pipe Impersonation"
note = """## Config
Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
`condition equal "contains" and keyword equal "pipe"`
"""
references = [
"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
"https://github.com/zcgonvh/EfsPotato",
"https://twitter.com/SBousseaden/status/1429530155291193354"
]
risk_score = 73
rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.action : "Pipe Created*" and
/* normal sysmon named pipe creation events truncate the pipe keyword */
file.name : "\\*\\Pipe\\*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1134"
reference = "https://attack.mitre.org/techniques/T1134/"
name = "Access Token Manipulation"
[rule.threat.tactic]
id = "TA0004"
reference = "https://attack.mitre.org/tactics/TA0004/"
name = "Privilege Escalation"