You work for a government agency that, for security reasons, maintains tight controls over access to certain systems. The CISO is concerned about privilege escalation in which an adversary gains an initial foothold on a host and then exploits its weaknesses to increase their privileges. By increasing their privilege level, the attacker can gain the control required to carry out malicious ends. As a security analyst, you need to recommend a series of searches that will help prevent such attacks in the agency.
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
- Active setup registry autostart
- Change default file association
- ETW registry disabled
- Kerberoasting spn request with RC4 encryption
- Logon script event trigger execution
- MSI module loaded by non-system binary
- Overwriting accessibility binaries
- Registry keys used for privilege escalation
- Runas execution in commandLine
- Screensaver event trigger execution
- Time provider persistence registry
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Creating a golden image of common processes run by your organization
- Actively monitoring the registry changes happening across machines
- Quickly investigating anomalous processes using SOAR tools, if possible, to scale
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Number of unlikely processes and users making registry changes: A high number is an indicator of anomalous behavior that might be related to privilege escalation
- Number of hosts with uncommon processes in your organization: A high number might be an indicator of privilege escalation
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.