security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Elevation via SCM rules (#4837)

Browse Source 
* Update privilege_escalation_krbrelayup_service_creation.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update non-ecs-schema.json

* Update non-ecs-schema.json

* Update pyproject.toml
This commit is contained in:
Samirbous
2025-06-20 09:52:59 +01:00
committed by GitHub
parent b9c6517666
commit 4b20d69c03
4 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/non-ecs-schema.json
+2
View File
@@ -36,6 +36,8 @@
"SubjectLogonId": "keyword",
"SubjectUserName": "keyword",
"SubjectUserSid": "keyword",
"ServiceAccount": "keyword",
"ElevatedToken": "keyword",
"TargetUserName": "keyword",
"TargetImage": "keyword",
"TargetLogonId": "keyword",
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.2.22"
version = "1.2.23"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/windows/privilege_escalation_krbrelayup_service_creation.toml
+3 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2022/04/27"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/06/19"
[rule]
author = ["Elastic"]
@@ -76,11 +76,10 @@ sequence by winlog.computer_name with maxspan=5m
[authentication where
/* event 4624 need to be logged */
event.action == "logged-in" and event.outcome == "success" and
event.action == "logged-in" and event.outcome == "success" and winlog.event_data.ElevatedToken == "%%1843" and process.pid == 0 and
/* authenticate locally using relayed kerberos Ticket */
winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and
cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId
winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and cidrmatch(source.ip, "127.0.0.0/8", "::1")] by winlog.event_data.TargetLogonId
[any where
/* event 4697 need to be logged */
rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/07"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/06/19"
[rule]
author = ["Elastic"]
@@ -91,6 +91,7 @@ query = '''
configuration where host.os.type == "windows" and
event.action == "service-installed" and
(winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and
startswith~(user.domain, winlog.computer_name) and winlog.event_data.ServiceAccount == "LocalSystem" and
not winlog.event_data.ServiceFileName : (
"?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
"?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",