Try in Splunk Security Cloud

Description

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-04
  • Author: David Dorsey, Splunk
  • ID: 644e22d3-598a-429c-a007-16fdb802cae5

Narrative

Privilege escalation is a “land-and-expand” technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine–such as installing software–may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name Technique Type
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Illegal Privilege Elevation via Mimikatz modules Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Probing Access with Stolen Credentials via PowerSploit modules Valid Accounts, Account Manipulation TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP

Reference

source | version: 2