From e6df245ff3f82b075a5c2c66ad6c1c8b206ce826 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 5 Dec 2023 17:34:10 +0000 Subject: [PATCH] [New] Interactive Logon by an Unusual Process (#3299) * Create privilege_escalation_make_token_local.toml * Update privilege_escalation_make_token_local.toml * Update privilege_escalation_make_token_local.toml --- ...privilege_escalation_make_token_local.toml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 rules/windows/privilege_escalation_make_token_local.toml diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml new file mode 100644 index 000000000..51154ffc7 --- /dev/null +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -0,0 +1,73 @@ +[metadata] +creation_date = "2023/12/04" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/04" + +[rule] +author = ["Elastic"] +description = """ +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may +create a new token to escalate privileges and bypass access controls. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Interactive Logon by an Unusual Process" +references = ["https://attack.mitre.org/techniques/T1134/002/"] +risk_score = 73 +rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad" +setup = """ + +Audit event 4624 is needed to trigger this rule. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +authentication where + host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and + winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and + winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and + not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and + not process.executable : + ("?:\\Windows\\System32\\winlogon.exe", + "?:\\Windows\\System32\\wininit.exe", + "?:\\Program Files\\Okta\\Okta Verify\\OktaVerify.exe", + "?:\\Program Files (x86)\\Okta\\Okta Verify\\OktaVerify.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.003" +name = "Make and Impersonate Token" +reference = "https://attack.mitre.org/techniques/T1134/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"