From d4e0a6cc9878758d0d207290acd4b36d536e713e Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 23 Oct 2023 14:34:36 -0300
Subject: [PATCH] [Rule Tuning] Potential Privilege Escalation via
 InstallerFileTakeOver (#3215)

* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver

* Update privilege_escalation_installertakeover.toml

(cherry picked from commit a471f6fc6096d873814cf06c9a7694f95365301f)
---
 ...rivilege_escalation_installertakeover.toml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml
index a19faf24b..9c932e66b 100644
--- a/rules/windows/privilege_escalation_installertakeover.toml
+++ b/rules/windows/privilege_escalation_installertakeover.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/11/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/23"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) defaul
 allows an unprivileged user to escalate privileges to SYSTEM.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privilege Escalation via InstallerFileTakeOver"
@@ -111,17 +111,22 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-/* This rule is compatible with both Sysmon and Elastic Endpoint */
-
 process where host.os.type == "windows" and event.type == "start" and
-    (?process.Ext.token.integrity_level_name : "System" or
-    ?winlog.event_data.IntegrityLevel : "System") and
+    process.Ext.token.integrity_level_name : "System" and
     (
       (process.name : "elevation_service.exe" and
        not process.pe.original_file_name == "elevation_service.exe") or
+      
+      (process.name : "elevation_service.exe" and
+       not process.code_signature.trusted == true) or
 
       (process.parent.name : "elevation_service.exe" and
        process.name : ("rundll32.exe", "cmd.exe", "powershell.exe"))
+    ) and
+    not
+    (
+      process.name : "elevation_service.exe" and process.code_signature.trusted == true and
+      process.pe.original_file_name == null
     )
 '''