Potential Privilege Escalation via InstallerFileTakeOveredit

Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.0.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Triage and analysis.

### Investigating Potential Priivilege Escalation via InstallerFileTakeOver

InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.

This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.

#### Possible investigation steps:

- Check for the digital signature of the executable
- Look for additional processes spawned by the process, command lines and network communications.
- Look for additional alerts involving the host and the user.

### False Positive Analysis

- Verify whether the digital signature exists in the executable, and if it is valid.

### Related Rules

- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee

### Response and Remediation

- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
post-compromise behavior.

Rule queryedit

/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and user.id : "S-1-5-18" and
( (process.name : "elevation_service.exe" and not
process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )

Threat mappingedit