GitHub Repo

Analytics Story: Windows Privilege Escalation

Updated Date: 2026-05-13 ID: 644e22d3-598a-429c-a007-16fdb802cae5 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows VSSVC Process Accessing Defender Engine Exploitation for Privilege Escalation TTP
Print Processor Registry Autostart Print Processors TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Time Provider Persistence Registry Time Providers TTP
Windows MsMpEng Writing to System32 Exploitation for Privilege Escalation, Windows Service TTP
Active Setup Registry Autostart Active Setup TTP
Windows Non-System Process Querying Definition Update Exploitation for Privilege Escalation, Web Protocols Anomaly
Windows Privilege Escalation Attempt Via MSI Rollback Exploitation for Privilege Escalation TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Windows Suspicious Child Process of TieringEngineService.exe Exploitation for Privilege Escalation TTP
Windows Cloud Files Filter Log Created by Non-System Process Exploitation for Privilege Escalation TTP
Screensaver Event Trigger Execution Screensaver TTP
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Disable or Modify Tools TTP
Windows Suspicious Burst of Password Changes Exploitation for Privilege Escalation TTP
Windows Admin Password Changed by Non-Admin Exploitation for Privilege Escalation, Windows Service TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Windows New Default File Association Value Set Change Default File Association Hunting
Windows Potato Privilege Escalation Tool Execution Exploitation for Privilege Escalation TTP
Windows Mock Trusted Directory MSC File Creation MMC, Bypass User Account Control, Hijack Execution Flow TTP
Windows Privilege Escalation System Process Without System Parent Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Windows Suspicious Defender Engine or Signature Files Created Exploitation for Privilege Escalation Anomaly
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Windows SymbolicLink-Testing-Tools Utility Execution File and Directory Permissions Modification, NTFS File Attributes TTP
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Windows MSI Rollback Script Deleted By Non-Msiexec Process Exploitation for Privilege Escalation, Msiexec TTP
Windows AppCertDLL Modification Via Command Line AppCert DLLs Anomaly
MSI Module Loaded by Non-System Binary DLL Hunting
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Logon Script Event Trigger Execution Logon Script (Windows) TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 15 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4723 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4724 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 3