Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:/* This rule is only compatible with Elastic Endpoint 8.4+ */ process where host.os.type == "windows" and event.action == "start" and /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */ user.id == "S-1-5-18" and process.parent.executable != null and /* Token Theft target process usually running as service are located in one of the following paths */ process.Ext.effective_parent.executable : "?:\\Windows\\*.exe" and /* Ignores Utility Manager in Windows running in debug mode */ not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and /* Ignores Windows print spooler service with correlation to Access Intelligent Form */ not (process.parent.executable : ("?\\Windows\\System32\\spoolsv.exe", "C:\\Windows\\System32\\PrintIsolationHost.exe") and process.executable: ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\spool\\drivers\\*.exe", "?:\\Windows\\System32\\ROUTE.EXE")) and /* Ignores Windows error reporting executables */ not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe", "?:\\Windows\\SysWOW64\\WerFaultSecure.exe", "?:\\windows\\system32\\WerMgr.exe", "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */ not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe", "?:\\Windows\\WinSxS\\*.exe", "?:\\Windows\\System32\\inetsrv\\iissetup.exe", "?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe", "?:\\Windows\\System32\\inetsrv\\aspnetca.exe", "?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe", "?:\\Windows\\System32\\lodctr.exe", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\System32\\netcfg.exe", "?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe", "?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and /* Ignores additional parent executables that run with elevated privileges */ not process.parent.executable : ("?:\\Windows\\System32\\AtBroker.exe", "?:\\Windows\\system32\\svchost.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Program Files\\*.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\System32\\DriverStore\\*", "?:\\Windows\\LTSvc\\*\\Update.exe") and /* Ignores Windows binaries with a trusted signature and specific signature name */ not (process.code_signature.trusted == true and process.code_signature.subject_name : ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.", "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc", "Sophos Ltd", "Sophos Limited", "Brother Industries, Ltd.", "MILVUS INOVACOES EM SOFTWARE LTDA", "Chocolatey Software, Inc")) and not (process.Ext.effective_parent.executable : "?:\\Windows\\servicing\\TrustedInstaller.exe" and process.executable : "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe") and not process.Ext.effective_parent.executable : "?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe"
Install detection rules in Elastic Security
Detect Process Created with an Elevated Token in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).