Windows Escalation Behavior

Date: 2023-11-30 ID: eb8bda82-5e06-4d02-983c-dde9a445661c Author: Steven Dick Environment: attack_range Directory: windows_escalation_behavior

Description

Detection of common behaviors seen during process escalation/elevation.

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation

Field	Value
Environment	attack_range
Directory	windows_escalation_behavior
Test Date	2023-11-30

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows Privilege Escalation System Process Without System Parent	`TTP`	Endpoint	T1068, T1548, T1134	Windows Privilege Escalation, BlackSuit Ransomware
Windows Privilege Escalation Suspicious Process Elevation	`TTP`	Endpoint	T1068, T1548, T1134	Windows Privilege Escalation, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor
Windows Privilege Escalation User Process Spawn System Process	`TTP`	Endpoint	T1068, T1548, T1134	Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0