[metadata] creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" min_stack_version = "8.4.0" updated_date = "2023/10/02" [rule] author = ["Elastic"] description = """ Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Process Created with a Duplicated Token" references = [ "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", ] risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' /* This rule is only compatible with Elastic Endpoint 8.4+ */ process where host.os.type == "windows" and event.action == "start" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and (process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and ( process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe", "tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) ) and not (process.name : "rundll32.exe" and process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*", "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*", "*shell32.dll,SHCreateLocalServerRunDll*")) and not startswith~(process.Ext.effective_parent.name, process.parent.name) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/"