Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.
Rule type: eql
Risk score: 73
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Privilege Escalation
Added (Elastic Stack release): 8.0.0
Rule authors: Elastic
Rule license: Elastic License v2
## Triage and analysis. ### Investigating Potential Priivilege Escalation via InstallerFileTakeOver InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule. #### Possible investigation steps: - Check for the digital signature of the executable - Look for additional processes spawned by the process, command lines and network communications. - Look for additional alerts involving the host and the user. ### False Positive Analysis - Verify whether the digital signature exists in the executable, and if it is valid. ### Related Rules - Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee ### Response and Remediation - Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further post-compromise behavior.
/* This rule is compatible with both Sysmon and Elastic Endpoint */ process where event.type == "start" and user.id : "S-1-5-18" and ( (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or (process.parent.name : "elevation_service.exe" and process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )