Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2023-03-20
- Author: Mauricio Velazco, Splunk
- ID: fa34a5d8-df0a-404c-8237-11f99cba1d5f
Narrative
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Active Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.
The following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.
Detections
| Name |
Technique |
Type |
| Active Directory Privilege Escalation Identified |
Domain Policy Modification |
Correlation |
| Kerberos Service Ticket Request Using RC4 Encryption |
Steal or Forge Kerberos Tickets, Golden Ticket |
TTP |
| Rubeus Command Line Parameters |
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting |
TTP |
| ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
TTP |
| ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
| Suspicious Computer Account Name Change |
Valid Accounts, Domain Accounts |
TTP |
| Suspicious Kerberos Service Ticket Request |
Valid Accounts, Domain Accounts |
TTP |
| Suspicious Ticket Granting Ticket Request |
Valid Accounts, Domain Accounts |
Hunting |
| Unusual Number of Computer Service Tickets Requested |
Valid Accounts |
Hunting |
| Unusual Number of Remote Endpoint Authentication Events |
Valid Accounts |
Hunting |
| Windows Administrative Shares Accessed On Multiple Hosts |
Network Share Discovery |
TTP |
| Windows Admon Default Group Policy Object Modified |
Domain Policy Modification, Group Policy Modification |
TTP |
| Windows Admon Group Policy Object Created |
Domain Policy Modification, Group Policy Modification |
TTP |
| Windows Default Group Policy Object Modified |
Domain Policy Modification, Group Policy Modification |
TTP |
| Windows Default Group Policy Object Modified with GPME |
Domain Policy Modification, Group Policy Modification |
TTP |
| Windows Default Group Policy Object Modified with GPME |
Domain Policy Modification, Group Policy Modification |
TTP |
| Windows DnsAdmins New Member Added |
Account Manipulation |
TTP |
| Windows File Share Discovery With Powerview |
Network Share Discovery |
TTP |
| Windows File Share Discovery With Powerview |
Unsecured Credentials, Group Policy Preferences |
TTP |
| Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
| Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
| Windows Group Policy Object Created |
Domain Policy Modification, Group Policy Modification, Domain Accounts |
TTP |
| Windows Large Number of Computer Service Tickets Requested |
Network Share Discovery, Valid Accounts |
Anomaly |
| Windows Local Administrator Credential Stuffing |
Brute Force, Credential Stuffing |
TTP |
| Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
| Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
| Windows PowerView AD Access Control List Enumeration |
Domain Accounts, Permission Groups Discovery |
TTP |
| Windows PowerView AD Access Control List Enumeration |
Domain Accounts, Permission Groups Discovery |
TTP |
| Windows Rapid Authentication On Multiple Hosts |
Security Account Manager |
TTP |
| Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
TTP |
Reference
source | version: 1