Analytics Story: Windows Privilege Escalation

Description

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Uncommon Processes On Endpoint Malicious File Hunting
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow Hunting
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Hunting
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation System Process Without System Parent Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 2