Attack Chain

1. An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
2. The attacker identifies a privileged Windows process, such as a service running as SYSTEM, as a target for token theft.
3. The attacker uses the CreateProcessWithTokenW API (or similar) to create a new process.
4. The new process is configured to run under the security context (token) of the targeted privileged process.
5. The attacker then executes malicious code within the context of the newly created process.
6. This malicious code now operates with SYSTEM-level privileges, bypassing normal access controls.
7. The attacker can then use these elevated privileges to install malware, modify system settings, or steal sensitive data.
8. Finally, the adversary achieves persistence and control of the system.

Impact

Successful exploitation allows attackers to perform any action on the system with the highest privileges. This includes installing malware, accessing sensitive data, creating new user accounts with administrative rights, and disabling security controls. The impact is a complete compromise of the affected system. The Elastic rule has a risk score of 73 and is classified as high severity.

Recommendation

• Enable Elastic Defend to collect the necessary process creation events, as specified in the setup instructions.
• Deploy the provided Sigma rule to your SIEM to detect processes created with elevated tokens. Tune the rule based on observed false positives in your environment.
• Investigate any alerts generated by the Sigma rule by examining the process tree, focusing on the user.id, process.executable, process.parent.executable, and process.Ext.effective_parent.executable fields as outlined in the rule’s note section.
• Review and validate any exceptions before implementing them, ensuring that the exact child/parent/effective-parent pattern is stable for the same host or managed host group, and avoid broad exceptions.