Monitoring for signs of Windows privilege escalation attacks

Scenario: You work for a government agency that, for security reasons, maintains tight controls over access to certain systems. The CISO is concerned about privilege escalation in which an adversary gains an initial foothold on a host and then exploits its weaknesses to increase their privileges. By increasing their privilege level, the attacker can gain the control required to carry out malicious ends. As a security analyst, you need to recommend a series of searches that will help prevent such attacks in the agency. 

How Splunk software can help

The Splunk Security Research team developed this use case to help you detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

What you need 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

People

The best person to implement this use case is a security analyst or threat hunter who is familiar with authentication, endpoint, and web server data. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.

Time

Monitoring for signs of Windows privilege escalation attacks can take only a few minutes each day.

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

• Splunk Enterprise or Splunk Cloud
• Data normalized to the following CIM models:
  • Authentication
  • Endpoint

How to use Splunk software for this use case

You can run many searches with Splunk software to monitor for signs of Windows privilege escalation attacks. Depending on what information you have available, you might find it useful to run some or all of the following: 

• Child processes of Spoolsv.exe
• Windows accessibility binary modifications
• Registry keys used for privilege escalation
• Uncommon processes on endpoint

If you identify suspicious behavior, you can investigate further using these searches:

• Authentication logs for an endpoint
• Processes running on a host
• Registry activities
• Web activities from a host

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

• Creating a golden image of common processes run by your organization
• Actively monitoring the registry changes happening across machines
• Quickly investigating anomalous processes using SOAR tools, if possible, to scale 

Related resources 

If you have questions about this use case, see the Security Research team's support options on GitHub. In addition, these Splunk resources might help you understand and implement this use case:

• Conf Talk: Real world cases of insider threat
• Blog: Spotting the signs of lateral movement
• Blog: Get more flexibility and accelerated searches with the new endpoint data model

How to assess your results

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

• Number of unlikely processes and users making registry changes: A high number is an indicator of anomalous behavior that might be related to privilege escalation
• Number of hosts with uncommon processes in your organization: A high number might be an indicator of privilege escalation