Potential Privilege Escalation via InstallerFileTakeOveredit

Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Triage and analysis.

### Investigating Potential Priivilege Escalation via InstallerFileTakeOver

InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.

This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.

#### Possible investigation steps:

- Check for the digital signature of the executable.
- Look for additional processes spawned by the process, command lines, and network communications.
- Look for additional alerts involving the host and the user.

### False Positive Analysis

- Verify whether the digital signature exists in the executable, and if it is valid.

### Related Rules

- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee

### Response and Remediation

- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
post-compromise behavior.

Rule queryedit

/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and (
(process.name : "elevation_service.exe" and not
process.pe.original_file_name == "elevation_service.exe") or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (8.1.0 release)
  • Updated query, changed from:

    /* This rule is compatible with both Sysmon and Elastic Endpoint */
    process where event.type == "start" and user.id : "S-1-5-18" and
    ( (process.name : "elevation_service.exe" and not
    process.pe.original_file_name == "elevation_service.exe") or
    (process.parent.name : "elevation_service.exe" and
    process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )