security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bdfddac8edea5e327bf28aed7e6dc4a7f701dc6
sigma-rules/rules/windows/privilege_escalation_installertakeover.toml
T
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00

88 lines
3.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/11/25"
maturity = "production"
updated_date = "2022/03/31"
[rule]
author = ["Elastic"]
description = """
Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation
allows an unprivileged user to escalate privileges to SYSTEM.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via InstallerFileTakeOver"
note = """## Triage and analysis.
### Investigating Potential Priivilege Escalation via InstallerFileTakeOver
InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.
This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.
#### Possible investigation steps:
- Check for the digital signature of the executable.
- Look for additional processes spawned by the process, command lines, and network communications.
- Look for additional alerts involving the host and the user.
### False Positive Analysis
- Verify whether the digital signature exists in the executable, and if it is valid.
### Related Rules
- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee
### Response and Remediation
- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
further post-compromise behavior.
## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://github.com/klinix5/InstallerFileTakeOver"]
risk_score = 73
rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
(
(process.name : "elevation_service.exe" and
not process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink