security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ad8b32ce2299d4f736c5bfa25de0148c07692d2
sigma-rules/rules/windows/privilege_escalation_installertakeover.toml
T
Jonhnathan 73b3bec457 [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1c50f35aed)
2022-03-02 00:41:56 +00:00

84 lines
2.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/11/25"
maturity = "production"
updated_date = "2022/02/28"
[rule]
author = ["Elastic"]
description = """
Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation
allows an unprivileged user to escalate privileges to SYSTEM.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via InstallerFileTakeOver"
note = """## Triage and analysis.
### Investigating Potential Priivilege Escalation via InstallerFileTakeOver
InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.
This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.
#### Possible investigation steps:
- Check for the digital signature of the executable.
- Look for additional processes spawned by the process, command lines, and network communications.
- Look for additional alerts involving the host and the user.
### False Positive Analysis
- Verify whether the digital signature exists in the executable, and if it is valid.
### Related Rules
- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee
### Response and Remediation
- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
further post-compromise behavior.
"""
references = [
"https://github.com/klinix5/InstallerFileTakeOver"
]
risk_score = 73
rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
(
(process.name : "elevation_service.exe" and
not process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
reference = "https://attack.mitre.org/techniques/T1068/"
name = "Exploitation for Privilege Escalation"
[rule.threat.tactic]
id = "TA0004"
reference = "https://attack.mitre.org/tactics/TA0004/"
name = "Privilege Escalation"
Reference in New Issue View Git Blame Copy Permalink