IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Interactive Logon by an Unusual Process
editInteractive Logon by an Unusual Process
editIdentifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editauthentication where host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and not process.executable : ("?:\\Windows\\System32\\winlogon.exe", "?:\\Windows\\System32\\wininit.exe", "?:\\Program Files\\Okta\\Okta Verify\\OktaVerify.exe", "?:\\Program Files (x86)\\Okta\\Okta Verify\\OktaVerify.exe")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Create Process with Token
- ID: T1134.002
- Reference URL: https://attack.mitre.org/techniques/T1134/002/
-
Sub-technique:
- Name: Make and Impersonate Token
- ID: T1134.003
- Reference URL: https://attack.mitre.org/techniques/T1134/003/