diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml new file mode 100644 index 000000000..7db1faf21 --- /dev/null +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/11/15" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2023/11/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token +forging capability that are often abused to bypass access control restrictions. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "First Time Seen NewCredentials Logon Process" +risk_score = 47 +rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" +severity = "medium" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"