Process Creation via Secondary Logon | Elastic Security Solution [8.5]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Process Activity via Compiled HTML File Process Execution from an Unusual Directory »

Process Creation via Secondary Logonedit

Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.

Rule type: eql

Rule indices:

winlogbeat-*
logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://attack.mitre.org/techniques/T1134/002/

Tags:

Elastic
Host
Windows
Threat Detection
Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

sequence by host.id with maxspan=1m [authentication where
event.action:"logged-in" and event.outcome == "success" and
user.id:"S-1-5-21-*" and /* seclogon service */ process.name ==
"svchost.exe" and winlog.event_data.LogonProcessName : "seclogo*"
and source.ip == "::1" ] by winlog.event_data.TargetLogonId [process
where event.type == "start"] by winlog.event_data.TargetLogonId

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/

« Process Activity via Compiled HTML File Process Execution from an Unusual Directory »