Potential Privilege Escalation via InstallerFileTakeOver

edit

Potential Privilege Escalation via InstallerFileTakeOver

edit

Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 4 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

### Investigating Potential Privilege Escalation via InstallerFileTakeOver

InstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an
unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.

This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),
which is outside the scope of this rule.

#### Possible investigation steps:

- Check the executable's digital signature.
- Look for additional processes spawned by the process, command lines, and network communications.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Check for similar behavior in other hosts on the environment.
- Retrieve the file and determine if it is malicious:
  - Use a private sandboxed malware analysis system to perform analysis.
    - Observe and collect information about the following activities:
      - Attempts to contact external domains and addresses.
      - File and registry access, modification, and creation activities.
      - Service creation and launch activities.
      - Scheduled tasks creation.
  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.

### False positive analysis

- Verify whether a digital signature exists in the executable, and if it is valid.

### Related rules

- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
  - Immediately block the identified indicators of compromise (IoCs).
- Remove and block malicious artifacts identified on the triage.
- Disable user account’s ability to log in remotely.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- Determine the initial infection vector.

## Config

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule query

edit
/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(?process.Ext.token.integrity_level_name : "System" or
?winlog.event_data.IntegrityLevel : "System") and (
(process.name : "elevation_service.exe" and not
process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 4 (8.2.0 release)
  • Updated query, changed from:

    /* This rule is compatible with both Sysmon and Elastic Endpoint */
    process where event.type == "start" and
    (process.Ext.token.integrity_level_name : "System" or
    winlog.event_data.IntegrityLevel : "System") and (
    (process.name : "elevation_service.exe" and not
    process.pe.original_file_name == "elevation_service.exe") or
    (process.parent.name : "elevation_service.exe" and
    process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )
Version 2 (8.1.0 release)
  • Updated query, changed from:

    /* This rule is compatible with both Sysmon and Elastic Endpoint */
    process where event.type == "start" and user.id : "S-1-5-18" and
    ( (process.name : "elevation_service.exe" and not
    process.pe.original_file_name == "elevation_service.exe") or
    (process.parent.name : "elevation_service.exe" and
    process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )