IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Process Created with an Elevated Token
editProcess Created with an Elevated Token
editIdentifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
Version: 5
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit/* This rule is only compatible with Elastic Endpoint 8.4+ */
process where host.os.type == "windows" and event.action == "start" and
/* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
user.id : "S-1-5-18" and
/* Token Theft target process usually running as service are located in one of the following paths */
process.Ext.effective_parent.executable :
("?:\\Windows\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\ProgramData\\*") and
/* Ignores Utility Manager in Windows running in debug mode */
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe") and
/* Ignores Windows error reporting executables */
not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFaultSecure.exe",
"?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
"?:\\windows\\system32\\WerMgr.exe",
"?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
/* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
"?:\\Windows\\WinSxS\\*.exe",
"?:\\Windows\\System32\\inetsrv\\iissetup.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
"?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
"?:\\Windows\\System32\\lodctr.exe",
"?:\\Windows\\SysWOW64\\lodctr.exe",
"?:\\Windows\\System32\\netcfg.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
/* Ignores additional parent executables that run with elevated privileges */
not process.parent.executable :
("?:\\Windows\\System32\\AtBroker.exe",
"?:\\Windows\\system32\\svchost.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\DriverStore\\*") and
/* Ignores Windows binaries with a trusted signature and specific signature name */
not (process.code_signature.trusted == true and
process.code_signature.subject_name :
("philandro Software GmbH",
"Freedom Scientific Inc.",
"TeamViewer Germany GmbH",
"Projector.is, Inc.",
"TeamViewer GmbH",
"Cisco WebEx LLC",
"Dell Inc"))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Create Process with Token
- ID: T1134.002
- Reference URL: https://attack.mitre.org/techniques/T1134/002/