From 58174015bd286bd4f9d8b8a9cd85c0645ad20c59 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 16:21:42 +0100 Subject: [PATCH] [New Rule] Privilege Escalation via Windir Environment Variable (#638) * [New Rule] Privilege Escalation via Windir Environment Variable * added equiv envar * eql syntax * Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...calation_rogue_windir_environment_var.toml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/privilege_escalation_rogue_windir_environment_var.toml diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml new file mode 100644 index 000000000..ecef369cc --- /dev/null +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/11/26" +maturity = "production" +updated_date = "2020/11/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known +primitive that is often combined with other vulnerabilities to elevate privileges. +""" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Privilege Escalation via Windir Environment Variable" +references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] +risk_score = 71 +rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +type = "eql" + +query = ''' +registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and + not registry.data.strings : ("C:\\windows", "%SystemRoot%") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1034" +name = "Path Interception" +reference = "https://attack.mitre.org/techniques/T1034/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"