shashank-elastic
88 lines
2.8 KiB
TOML
88 lines
2.8 KiB
TOML
[metadata]
|
|
creation_date = "2022/10/20"
|
|
integration = ["windows"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/10/23"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
|
|
may create a new process with a different token to escalate privileges and bypass access controls.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "SeDebugPrivilege Enabled by a Suspicious Process"
|
|
references = [
|
|
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703",
|
|
"https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd"
|
|
setup = """
|
|
|
|
Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).
|
|
|
|
Steps to implement the logging policy with with Advanced Audit Configuration:
|
|
|
|
```
|
|
Computer Configuration >
|
|
Policies >
|
|
Windows Settings >
|
|
Security Settings >
|
|
Advanced Audit Policies Configuration >
|
|
Audit Policies >
|
|
Detailed Tracking >
|
|
Token Right Adjusted Events (Success)
|
|
```
|
|
"""
|
|
severity = "medium"
|
|
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and
|
|
event.action : "Token Right Adjusted Events" and
|
|
|
|
winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and
|
|
|
|
/* exclude processes with System Integrity */
|
|
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
|
|
|
|
not winlog.event_data.ProcessName :
|
|
("?:\\Windows\\System32\\msiexec.exe",
|
|
"?:\\Windows\\SysWOW64\\msiexec.exe",
|
|
"?:\\Windows\\System32\\lsass.exe",
|
|
"?:\\Windows\\WinSxS\\*",
|
|
"?:\\Program Files\\*",
|
|
"?:\\Program Files (x86)\\*",
|
|
"?:\\Windows\\System32\\MRT.exe",
|
|
"?:\\Windows\\System32\\cleanmgr.exe",
|
|
"?:\\Windows\\System32\\taskhostw.exe",
|
|
"?:\\Windows\\System32\\mmc.exe",
|
|
"?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
|
|
"?:\\Windows\\System32\\auditpol.exe",
|
|
"?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
|
|
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1134"
|
|
name = "Access Token Manipulation"
|
|
reference = "https://attack.mitre.org/techniques/T1134/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
|