IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Privilege Escalation via InstallerFileTakeOver
editPotential Privilege Escalation via InstallerFileTakeOver
editIdentifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Privilege Escalation
Version: 2 (version history)
Added (Elastic Stack release): 8.0.0
Last modified (Elastic Stack release): 8.1.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis. ### Investigating Potential Priivilege Escalation via InstallerFileTakeOver InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule. #### Possible investigation steps: - Check for the digital signature of the executable. - Look for additional processes spawned by the process, command lines, and network communications. - Look for additional alerts involving the host and the user. ### False Positive Analysis - Verify whether the digital signature exists in the executable, and if it is valid. ### Related Rules - Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee ### Response and Remediation - Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior.
Rule query
edit/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and (
(process.name : "elevation_service.exe" and not
process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/
Rule version history
edit- Version 2 (8.1.0 release)
-
-
Updated query, changed from:
/* This rule is compatible with both Sysmon and Elastic Endpoint */ process where event.type == "start" and user.id : "S-1-5-18" and ( (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or (process.parent.name : "elevation_service.exe" and process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )
-