Privilege Escalation via Rogue Named Pipe Impersonation

Elastic Stack Serverless Security

Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.

Rule type: eql

Rule indices:

• winlogbeat-*
• logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
• https://github.com/zcgonvh/EfsPotato
• https://twitter.com/SBousseaden/status/1429530155291193354

Tags:

• Elastic
• Host
• Windows
• Threat Detection
• Privilege Escalation

Version: 1

Rule authors:

• Elastic

Rule license: Elastic License v2

Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
condition equal "contains" and keyword equal "pipe"

file where event.action : "Pipe Created*" and
 /* normal sysmon named pipe creation events truncate the pipe keyword */
  file.name : "\\*\\Pipe\\*"

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Privilege Escalation
  • ID: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Access Token Manipulation
  • ID: T1134
  • Reference URL: https://attack.mitre.org/techniques/T1134/