First Time Seen NewCredentials Logon Process | Elastic Security Solution [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« First Time Seen Google Workspace OAuth Login from Third-Party Application First Time Seen Removable Device »

First Time Seen NewCredentials Logon Processedit

Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.

Rule type: new_terms

Rule indices:

winlogbeat-*
logs-system.*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi  ")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
Sub-technique:
- Name: Token Impersonation/Theft
- ID: T1134.001
- Reference URL: https://attack.mitre.org/techniques/T1134/001/

« First Time Seen Google Workspace OAuth Login from Third-Party Application First Time Seen Removable Device »