Monitoring for signs of a Windows privilege escalation attack
You work for a government agency that, for security reasons, maintains tight controls over access to certain systems. The CISO is concerned about privilege escalation in which an adversary gains an initial foothold on a host and then exploits its weaknesses to increase their privileges. By increasing their privilege level, the attacker can gain the control required to carry out malicious ends. As a security analyst, you need to recommend a series of searches that will help prevent such attacks in the agency.
Data required
How to use Splunk software for this use case
- Active setup registry autostart
- Change default file association
- ETW registry disabled
- Kerberoasting spn request with RC4 encryption
- Logon script event trigger execution
- MSI module loaded by non-system binary
- Overwriting accessibility binaries
- Registry keys used for privilege escalation
- Runas execution in commandLine
- Screensaver event trigger execution
- Time provider persistence registry
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Creating a golden image of common processes run by your organization
- Actively monitoring the registry changes happening across machines
- Quickly investigating anomalous processes using SOAR tools, if possible, to scale
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Number of unlikely processes and users making registry changes: A high number is an indicator of anomalous behavior that might be related to privilege escalation
- Number of hosts with uncommon processes in your organization: A high number might be an indicator of privilege escalation