Techniques
Sample rules
Windows SymbolicLink-Testing-Tools Utility Execution
- source: splunk
- technicques:
- T1222
- T1564.004
Description
Detects the execution of tools from the symboliclink-testing-tools toolkit.
This toolkit is often used for exploiting Windows symbolic link, junction, and oplock vulnerabilities to achieve local privilege escalation from a standard user to SYSTEM.
Symbolic link attacks against Windows exploit a class of logical vulnerability where a SYSTEM or administrator-level process performs a file operation on a path that a low-privileged attacker can redirect using a combination of NTFS junctions, object manager symbolic links, and opportunistic locks (oplocks).
By chaining these primitives a standard user can redirect a privileged file write, delete, or read to an arbitrary path, effectively turning a narrow file operation vulnerability into arbitrary write or code execution as SYSTEM.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name IN (
"BaitAndSwitch.exe",
"CreateDosDeviceSymlink.exe",
"CreateMountPoint.exe",
"CreateNtfsSymlink.exe",
"CreateObjectDirectory.exe",
"CreateRegSymlink.exe",
"DeleteMountPoint.exe",
"DumpReparsePoint.exe",
"NativeSymlink.exe",
"SetOpLock.exe"
)
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_symboliclink_testing_tools_utility_execution_filter`