Analytics Story: Windows Privilege Escalation

Updated Date: 2026-05-13 ID: 644e22d3-598a-429c-a007-16fdb802cae5 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows New Default File Association Value Set	Change Default File Association	Hunting
Logon Script Event Trigger Execution	Logon Script (Windows)	TTP
Windows Mock Trusted Directory MSC File Creation	MMC, Bypass User Account Control, Hijack Execution Flow	TTP
Windows AppCertDLL Modification Via Command Line	AppCert DLLs	Anomaly
Windows MSI Rollback Script Deleted By Non-Msiexec Process	Exploitation for Privilege Escalation, Msiexec	TTP
Time Provider Persistence Registry	Time Providers	TTP
Windows Privilege Escalation Suspicious Process Elevation	Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism	TTP
Windows Privilege Escalation Attempt Via MSI Rollback	Exploitation for Privilege Escalation	TTP
Screensaver Event Trigger Execution	Screensaver	TTP
Overwriting Accessibility Binaries	Accessibility Features	TTP
MSI Module Loaded by Non-System Binary	DLL	Hunting
Windows Privilege Escalation System Process Without System Parent	Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism	TTP
Print Processor Registry Autostart	Print Processors	TTP
Windows Privilege Escalation User Process Spawn System Process	Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism	TTP
Kerberoasting spn request with RC4 encryption	Kerberoasting	TTP
Child Processes of Spoolsv exe	Exploitation for Privilege Escalation	TTP
Runas Execution in CommandLine	Token Impersonation/Theft	Hunting
Windows SymbolicLink-Testing-Tools Utility Execution	File and Directory Permissions Modification, NTFS File Attributes	TTP
ETW Registry Disabled	Trusted Developer Utilities Proxy Execution, Disable or Modify Tools	TTP
Windows Potato Privilege Escalation Tool Execution	Exploitation for Privilege Escalation	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection	TTP
Active Setup Registry Autostart	Active Setup	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4769	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

https://attack.mitre.org/tactics/TA0004/

Source: GitHub | Version: 3