Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2023-03-20
  • Author: Mauricio Velazco, Splunk
  • ID: fa34a5d8-df0a-404c-8237-11f99cba1d5f

Narrative

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Active Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.
The following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.

Detections

Name Technique Type
Active Directory Privilege Escalation Identified Domain Policy Modification Correlation
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts TTP
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Remote Endpoint Authentication Events Valid Accounts Hunting
Windows Administrative Shares Accessed On Multiple Hosts Network Share Discovery TTP
Windows Admon Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Admon Group Policy Object Created Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification TTP
Windows DnsAdmins New Member Added Account Manipulation TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows File Share Discovery With Powerview Unsecured Credentials, Group Policy Preferences TTP
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows Group Policy Object Created Domain Policy Modification, Group Policy Modification, Domain Accounts TTP
Windows Large Number of Computer Service Tickets Requested Network Share Discovery, Valid Accounts Anomaly
Windows Local Administrator Credential Stuffing Brute Force, Credential Stuffing TTP
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows Rapid Authentication On Multiple Hosts Security Account Manager TTP
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery TTP

Reference

source | version: 1