{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3omicrosoftwindows_10_1507/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.5,"id":"CVE-2021-41379"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Edge"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve-2021-41379","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe rule identifies a potential privilege escalation attempt by exploiting the InstallerTakeOver vulnerability (CVE-2021-41379). This vulnerability, when successfully exploited, allows an unprivileged user to gain SYSTEM-level privileges on a Windows system. The detection focuses on identifying suspicious processes running with SYSTEM privileges that deviate from the expected behavior of the \u003ccode\u003eelevation_service.exe\u003c/code\u003e, particularly those not signed by Microsoft or spawning command interpreters. The rule aims to detect exploitation attempts rather than the vulnerability itself. This is important for defenders because successful exploitation leads to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user gains initial access to the system.\u003c/li\u003e\n\u003cli\u003eThe user leverages the InstallerTakeOver vulnerability to manipulate the Windows Installer service.\u003c/li\u003e\n\u003cli\u003eA malicious binary overwrites or replaces the legitimate \u003ccode\u003eelevation_service.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eelevation_service.exe\u003c/code\u003e is executed with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe modified \u003ccode\u003eelevation_service.exe\u003c/code\u003e spawns a command interpreter (cmd.exe, powershell.exe) or other malicious process.\u003c/li\u003e\n\u003cli\u003eThe spawned process inherits SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions using the elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or performs lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-41379 allows an unprivileged user to escalate privileges to SYSTEM, leading to a complete compromise of the affected system. This can enable attackers to install malware, steal sensitive data, create new user accounts with administrative rights, or use the compromised system as a pivot point for further attacks within the network. The scope of impact depends on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential InstallerFileTakeOver via Suspicious Service Execution\u0026rdquo; to your SIEM to detect suspicious execution of \u003ccode\u003eelevation_service.exe\u003c/code\u003e with unexpected original file name or code signature.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential InstallerFileTakeOver via Suspicious Child Process\u0026rdquo; to your SIEM to detect suspicious processes spawned by \u003ccode\u003eelevation_service.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and harden Windows Installer permissions to prevent unauthorized modifications as referenced in CVE-2021-41379.\u003c/li\u003e\n\u003cli\u003eMonitor file events for modifications to \u003ccode\u003eelevation_service.exe\u003c/code\u003e to identify potential service overwrite attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:00:53Z","date_published":"2026-05-12T19:00:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-installer-takeover/","summary":"This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.","title":"Potential Privilege Escalation via InstallerFileTakeOver (CVE-2021-41379)","url":"https://feed.craftedsignal.io/briefs/2026-05-installer-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}