Skip to content
Threat Feed
high advisory

Potential Privilege Escalation via InstallerFileTakeOver (CVE-2021-41379)

This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

The rule identifies a potential privilege escalation attempt by exploiting the InstallerTakeOver vulnerability (CVE-2021-41379). This vulnerability, when successfully exploited, allows an unprivileged user to gain SYSTEM-level privileges on a Windows system. The detection focuses on identifying suspicious processes running with SYSTEM privileges that deviate from the expected behavior of the elevation_service.exe, particularly those not signed by Microsoft or spawning command interpreters. The rule aims to detect exploitation attempts rather than the vulnerability itself. This is important for defenders because successful exploitation leads to full system compromise.

Attack Chain

  1. An unprivileged user gains initial access to the system.
  2. The user leverages the InstallerTakeOver vulnerability to manipulate the Windows Installer service.
  3. A malicious binary overwrites or replaces the legitimate elevation_service.exe.
  4. The compromised elevation_service.exe is executed with SYSTEM privileges.
  5. The modified elevation_service.exe spawns a command interpreter (cmd.exe, powershell.exe) or other malicious process.
  6. The spawned process inherits SYSTEM privileges.
  7. The attacker performs malicious actions using the elevated privileges.
  8. The attacker achieves persistence or performs lateral movement within the network.

Impact

Successful exploitation of CVE-2021-41379 allows an unprivileged user to escalate privileges to SYSTEM, leading to a complete compromise of the affected system. This can enable attackers to install malware, steal sensitive data, create new user accounts with administrative rights, or use the compromised system as a pivot point for further attacks within the network. The scope of impact depends on the attacker’s objectives and the compromised system’s role within the organization.

Recommendation

  • Deploy the Sigma rule “Detect Potential InstallerFileTakeOver via Suspicious Service Execution” to your SIEM to detect suspicious execution of elevation_service.exe with unexpected original file name or code signature.
  • Deploy the Sigma rule “Detect Potential InstallerFileTakeOver via Suspicious Child Process” to your SIEM to detect suspicious processes spawned by elevation_service.exe.
  • Review and harden Windows Installer permissions to prevent unauthorized modifications as referenced in CVE-2021-41379.
  • Monitor file events for modifications to elevation_service.exe to identify potential service overwrite attempts.

Detection coverage 2

Detect Potential InstallerFileTakeOver via Suspicious Service Execution

high

Detects CVE-2021-41379 exploitation — detects suspicious execution of elevation_service.exe with unexpected original file name or code signature.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detect Potential InstallerFileTakeOver via Suspicious Child Process

high

Detects CVE-2021-41379 exploitation — detects suspicious processes spawned by elevation_service.exe.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →