security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7be96ec64dc12ed3d2849bb408e4eecfde40dc02
sigma-rules/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

86 lines
3.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/10/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new
process with a different token to escalate privileges and bypass access controls.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Process Created with a Duplicated Token"
references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"]
risk_score = 47
rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
/* This rule is only compatible with Elastic Endpoint 8.4+ */
process where host.os.type == "windows" and event.action == "start" and
user.id : ("S-1-5-21-*", "S-1-12-1-*") and
(process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or
process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and
(
process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe",
"tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or
((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and
not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))
) and
not (process.name : "rundll32.exe" and
process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*",
"*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*",
"*shell32.dll,SHCreateLocalServerRunDll*")) and
not startswith~(process.Ext.effective_parent.name, process.parent.name) and
not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and
process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1134"
name = "Access Token Manipulation"
reference = "https://attack.mitre.org/techniques/T1134/"
[[rule.threat.technique.subtechnique]]
id = "T1134.001"
name = "Token Impersonation/Theft"
reference = "https://attack.mitre.org/techniques/T1134/001/"
[[rule.threat.technique.subtechnique]]
id = "T1134.002"
name = "Create Process with Token"
reference = "https://attack.mitre.org/techniques/T1134/002/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink