{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/milvus-inovacoes-em-software-ltda/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","token-theft","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","philandro Software GmbH","Freedom Scientific Inc.","TeamViewer Germany GmbH","Projector.is, Inc.","TeamViewer GmbH","Cisco","Dell","Sophos","Brother Industries, Ltd.","MILVUS INOVACOES EM SOFTWARE LTDA","Chocolatey Software, Inc"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary. The technique, often referred to as token theft, allows adversaries to escalate privileges and bypass access controls by creating a new process with a different token. The rule focuses on detecting instances where a process is initiated with the SYSTEM user ID (S-1-5-18) and its effective parent process is a privileged Microsoft native binary located in a standard Windows directory. This activity is indicative of an attempt to hijack a legitimate system process\u0026rsquo;s token for malicious purposes. This can lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged Windows process, such as a service running as SYSTEM, as a target for token theft.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eCreateProcessWithTokenW\u003c/code\u003e API (or similar) to create a new process.\u003c/li\u003e\n\u003cli\u003eThe new process is configured to run under the security context (token) of the targeted privileged process.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes malicious code within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThis malicious code now operates with SYSTEM-level privileges, bypassing normal access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use these elevated privileges to install malware, modify system settings, or steal sensitive data.\u003c/li\u003e\n\u003cli\u003eFinally, the adversary achieves persistence and control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform any action on the system with the highest privileges. This includes installing malware, accessing sensitive data, creating new user accounts with administrative rights, and disabling security controls. The impact is a complete compromise of the affected system. The Elastic rule has a risk score of 73 and is classified as high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend to collect the necessary process creation events, as specified in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect processes created with elevated tokens. Tune the rule based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process tree, focusing on the \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.parent.executable\u003c/code\u003e, and \u003ccode\u003eprocess.Ext.effective_parent.executable\u003c/code\u003e fields as outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and validate any exceptions before implementing them, ensuring that the exact child/parent/effective-parent pattern is stable for the same host or managed host group, and avoid broad exceptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:11:31Z","date_published":"2026-05-12T19:11:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/","summary":"This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.","title":"Process Created with an Elevated Token via Token Theft","url":"https://feed.craftedsignal.io/briefs/2026-05-process-created-with-elevated-token/"}],"language":"en","title":"CraftedSignal Threat Feed — MILVUS INOVACOES EM SOFTWARE LTDA","version":"https://jsonfeed.org/version/1.1"}