Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.
Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
It will then load some modules/library from itself. This will present on Sysmon Event ID 7 - Image/DLL Loading Events. This is not a usual activity of a legitimate elevation_service.exe
event_id:7 AND event_data.Image:*\\elevation_service.exe AND event_data.ImageLoaded: *\\elevation_service.exe
The exploit will then create a named pipe that can be customized by user. The Pre-compiled exploit called this pipe as \ExploitPipe. This can be observed in the code itself (see below). 
You can monitor this activity with event ID 17 and 18, Named Pipe Creation and Connection on Sysmon. Note that the elevation_service.exe rarely creates named pipe and only connects to certain named pipe.
event_id:(17 OR 18) AND event_data.Image:*\\elevation_service.exe
The elevation_service.exe will launch a command line processor instance at the System integrity level. Generally, the legitimate executable should not launch any command or shell process
event_id:1 AND event_data.ParentImage:*\\elevation_service.exe AND (event_data.Description: “Windows Command Processor” OR event_data.OriginalFileName:”Cmd.Exe”)
The whole time during this exploit, we presented with the masqueraded elevation_service.exe. Sysmon Event ID 1 exposed the difference between the legitimate and masqueraded executable
Furthermore, we can detect these inconsistencies using the query below:
event_id:1 AND event_data.Image:*\\elevation_service.exe AND (event_data.Description: “Microsoft Edge” OR event_data.OriginalFileName:”elevation_service.exe”)
event_id:1 AND event_data.Image:*\\elevation_service.exe AND (event_data.Description: “Microsoft Edge” OR event_data.OriginalFileName:”elevation_service.exe”)
More details can be found on my LinkedIn post here where you can download it as a PDF - linkedin.com/posts/tondangm…. Off for dinner now🖖
• • •
Missing some Tweet in this thread? You can try to
force a refresh
