Analytics Story: Active Directory Privilege Escalation

Date: 2023-03-20 ID: fa34a5d8-df0a-404c-8237-11f99cba1d5f Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.

Why it matters

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Active Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success. The following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows AD add Self to Group Account Manipulation TTP
Windows AD Privileged Group Modification Account Manipulation TTP
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts TTP
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Remote Endpoint Authentication Events Valid Accounts Hunting
Windows Administrative Shares Accessed On Multiple Hosts Network Share Discovery TTP
Windows Admon Default Group Policy Object Modified Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Admon Group Policy Object Created Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows DnsAdmins New Member Added Account Manipulation TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows Group Policy Object Created Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts TTP
Windows Large Number of Computer Service Tickets Requested Network Share Discovery, Valid Accounts Anomaly
Windows Local Administrator Credential Stuffing Brute Force, Credential Stuffing TTP
Windows Network Share Interaction With Net Network Share Discovery, Data from Network Shared Drive TTP
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows Rapid Authentication On Multiple Hosts Security Account Manager TTP
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Active Directory Admon Windows icon Windows ActiveDirectory ActiveDirectory
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4627 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4672 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5136 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5137 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5140 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1