IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Process Creation via Secondary Logon
editProcess Creation via Secondary Logon
editIdentifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Privilege Escalation
Version: 6
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editsequence by winlog.computer_name with maxspan=1m [authentication where event.action:"logged-in" and event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and /* seclogon service */ process.name == "svchost.exe" and winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId [process where event.type == "start"] by winlog.event_data.TargetLogonId
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Create Process with Token
- ID: T1134.002
- Reference URL: https://attack.mitre.org/techniques/T1134/002/
-
Sub-technique:
- Name: Make and Impersonate Token
- ID: T1134.003
- Reference URL: https://attack.mitre.org/techniques/T1134/003/