Process Creation via Secondary Logon

Author: Elastic
Source: upstream

Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134` Access Token Manipulation, `T1134.002` Access Token Manipulation: Create Process with Token, `T1134.003` Access Token Manipulation: Make and Impersonate Token
Defense Evasion	`T1134` Access Token Manipulation, `T1134.002` Access Token Manipulation: Create Process with Token, `T1134.003` Access Token Manipulation: Make and Impersonate Token

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.

Stages and Predicates

Stage 1: `eql:authentication`

event.action:"logged-in" and event.outcome:"success" and process.name:"svchost.exe" and source.ip:"::1" and user.id:"S-1-5-21-*" and winlog.event_data.LogonProcessName:"seclogo*"

Stage 2: `eql:process`

event.type:"start"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	wildcard	`logged-in`
`event.outcome`	eq	`success` corpus 8 (elastic 8)
`event.type`	eq	`start`
`process.name`	eq	`svchost.exe`
`source.ip`	eq	`::1`
`user.id`	wildcard	`S-1-12-1-` corpus 3 (elastic 3) `S-1-5-21-` corpus 3 (elastic 3)
`winlog.event_data.LogonProcessName`	wildcard	`seclogo*`