heroui logo

Process Created with an Elevated Token

Elastic Detection Rules

View Source
Summary
This rule detects instances where a process is created using an elevated token (SYSTEM user ID) to impersonate privileged Windows core binaries, which could indicate an attempt to escalate privileges and bypass security measures. The rule's query checks for specific conditions: it looks for processes that are generated under the Windows operating system, initiated by a privileged user ID `S-1-5-18`, and examines the executable paths to ensure they do not match known benign processes. Key exclusions are in place to filter out common utilities and legitimate Windows processes that could trigger false positives. The guide offers detailed investigation steps to confirm the legitimacy of the process creation event including verifying the user ID, examining parent executables, and checking code signatures. Furthermore, it highlights potential false positives and appropriate response actions to mitigate detected threats effectively. The rule aims to ensure that any unauthorized privilege escalation attempts are swiftly identified and addressed, maintaining the integrity of endpoint security.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Application Log
ATT&CK Techniques
  • T1134
  • T1134.002
Created: 2022-10-20