security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Process Creation via Secondary Logon (#2282)

Browse Source 
* [New Rule] Process Creation via Secondary Logon

https://github.com/elastic/detection-rules/issues/2164

Create process using alternate creds (i.g. runas) :

* Update privilege_escalation_create_process_as_different_user.toml

* Update privilege_escalation_create_process_as_different_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Samirbous
2022-09-19 20:04:08 +02:00
committed by GitHub
parent 4844b69ced
commit acdfe5ddab
2 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/non-ecs-schema.json
+2
View File
@@ -43,6 +43,8 @@
"PrivilegeList": "keyword",
"AuthenticationPackageName" : "keyword",
"TargetUserSid" : "keyword",
"DnsHostName" : "keyword",
"LogonProcessName": "keyword",
"DnsHostName" : "keyword",
"TaskName": "keyword",
"Status": "keyword"
rules/windows/privilege_escalation_create_process_as_different_user.toml
+69
View File
@@ -0,0 +1,69 @@
[metadata]
creation_date = "2022/08/30"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/30"
[rule]
author = ["Elastic"]
description = """
Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to
escalate privileges and bypass access controls.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Process Creation via Secondary Logon"
note = """## Setup
Audit events 4624 and 4688 are needed to trigger this rule.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://attack.mitre.org/techniques/T1134/002/"]
risk_score = 47
rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
type = "eql"
query = '''
sequence by host.id with maxspan=1m
[authentication where event.action:"logged-in" and
event.outcome == "success" and user.id:"S-1-5-21-*" and
/* seclogon service */
process.name == "svchost.exe" and
winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId
[process where event.type == "start"] by winlog.event_data.TargetLogonId
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1134"
name = "Access Token Manipulation"
reference = "https://attack.mitre.org/techniques/T1134/"
[[rule.threat.technique.subtechnique]]
id = "T1134.002"
name = "Create Process with Token"
reference = "https://attack.mitre.org/techniques/T1134/002/"
[[rule.threat.technique.subtechnique]]
id = "T1134.003"
name = "Make and Impersonate Token"
reference = "https://attack.mitre.org/techniques/T1134/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"