Analytics Story: Windows Privilege Escalation

Date: 2020-02-04 ID: 644e22d3-598a-429c-a007-16fdb802cae5 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Uncommon Processes On Endpoint	Malicious File	Hunting
Active Setup Registry Autostart	Active Setup, Boot or Logon Autostart Execution	TTP
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Child Processes of Spoolsv exe	Exploitation for Privilege Escalation	TTP
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Kerberoasting spn request with RC4 encryption	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Logon Script Event Trigger Execution	Boot or Logon Initialization Scripts, Logon Script (Windows)	TTP
MSI Module Loaded by Non-System Binary	DLL Side-Loading, Hijack Execution Flow	Hunting
Overwriting Accessibility Binaries	Event Triggered Execution, Accessibility Features	TTP
Print Processor Registry Autostart	Print Processors, Boot or Logon Autostart Execution	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection, Event Triggered Execution	TTP
Runas Execution in CommandLine	Access Token Manipulation, Token Impersonation/Theft	Hunting
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
Windows Privilege Escalation Suspicious Process Elevation	Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation	TTP
Windows Privilege Escalation System Process Without System Parent	Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation	TTP
Windows Privilege Escalation User Process Spawn System Process	Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4769	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://attack.mitre.org/tactics/TA0004/

Source: GitHub | Version: 2