Unauthorised Access & Privilege Escalation Investigation Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access

---

Overview & Scope

This runbook provides standardised procedures for investigating unauthorised access attempts and privilege escalation attacks across the hybrid enterprise environment. It covers detection, investigation, containment, and remediation workflows for both on-premises Active Directory and cloud identity platforms.

Attack Categories

Unauthorised Access Types

Type	Description	Examples
Credential-Based	Using stolen/compromised credentials	Phishing, credential stuffing, password spray
Session Hijacking	Taking over active sessions	Token theft, cookie hijacking, session replay
Authentication Bypass	Circumventing authentication controls	MFA bypass, legacy protocol abuse, CA policy gaps
Access Control Abuse	Exploiting misconfigurations	Overprivileged accounts, broken access control
Insider Threat	Authorized users exceeding permissions	Data theft, unauthorized system access

Privilege Escalation Types

Type	Description	Target
Local Privilege Escalation	User → Admin on single system	Endpoints, servers
Domain Privilege Escalation	User → Domain Admin	Active Directory
Cloud Privilege Escalation	User → Global Admin	Entra ID, M365
Horizontal Escalation	Access to peer accounts/resources	Lateral movement
Vertical Escalation	Lower → Higher privilege level	Elevation of privilege

Common Attack Techniques

On-Premises AD Privilege Escalation

Technique	Description	Risk Level
Kerberoasting	Crack service account passwords via TGS	High
AS-REP Roasting	Crack passwords for accounts without pre-auth	High
DCSync	Replicate password hashes from DC	Critical
Golden Ticket	Forge TGT with KRBTGT hash	Critical
Silver Ticket	Forge TGS for specific services	High
AdminSDHolder Abuse	Modify protected groups ACLs	Critical
GPO Abuse	Modify Group Policy for persistence/escalation	Critical
DACL/ACL Abuse	Exploit misconfigured object permissions	High
Unconstrained Delegation	Capture TGTs from connecting users	Critical
Constrained Delegation Abuse	Impersonate users to specific services	High
Resource-Based Constrained Delegation	Modify delegation settings	High
Print Spooler Abuse	PrintNightmare, SpoolSample	High
Certificate Template Abuse	AD CS misconfigurations	Critical
Shadow Credentials	Add key credentials to user objects	High
LAPS Abuse	Access local admin passwords	High

Cloud Privilege Escalation

Technique	Description	Risk Level
Entra ID Role Assignment	Add user to privileged roles	Critical
PIM Abuse	Activate/exploit privileged roles	Critical
OAuth Consent Grant	Gain app permissions via consent	High
Application Impersonation	Use app permissions to access data	High
Service Principal Abuse	Exploit app registration permissions	High
Conditional Access Bypass	Circumvent CA policies	High
Cross-Tenant Access	Abuse B2B/B2C configurations	High
Administrative Unit Abuse	Escape AU restrictions	Medium

Local Privilege Escalation

Technique	Description	Risk Level
Token Manipulation	Impersonate privileged tokens	High
UAC Bypass	Circumvent User Account Control	Medium
DLL Hijacking	Load malicious DLLs in privileged context	High
Service Exploitation	Abuse misconfigured services	High
Scheduled Task Abuse	Create/modify tasks for elevation	Medium
Unquoted Service Paths	Exploit path parsing vulnerabilities	Medium
AlwaysInstallElevated	MSI installation with SYSTEM privileges	High
Kernel Exploits	Exploit OS vulnerabilities	Critical
Named Pipe Impersonation	Impersonate connecting clients	High

---

Detection Sources & Data Mapping

Log Sources Matrix

Platform	Log Table	Key Data
On-Prem AD	SecurityEvent	Privileged logons, group changes, ACL modifications
Defender for Identity	IdentityDirectoryEvents	AD object changes, reconnaissance
Defender for Identity	IdentityLogonEvents	Authentication events, anomalies
Defender for Identity	IdentityQueryEvents	LDAP queries, enumeration
Defender for Endpoint	DeviceEvents	Token manipulation, UAC bypass
Defender for Endpoint	DeviceProcessEvents	Privilege escalation tools
Defender for Endpoint	DeviceLogonEvents	Local/remote logons
Entra ID	AuditLogs	Role assignments, PIM activations
Entra ID	SigninLogs	Privileged account access
Cloud Apps	CloudAppEvents	OAuth grants, app permissions
Sentinel	AzureActivity	Azure RBAC changes
Sentinel	SecurityAlert	Correlated privilege alerts

Critical Windows Event IDs

Authentication & Access

Event ID	Description	Investigation Relevance
4624	Successful logon	Track privileged access patterns
4625	Failed logon	Brute force, unauthorized access attempts
4648	Explicit credential logon	Credential usage, lateral movement
4672	Special privileges assigned	Admin/privileged logon detection
4768	Kerberos TGT requested	Initial authentication, AS-REP roasting
4769	Kerberos TGS requested	Kerberoasting, service access
4771	Kerberos pre-auth failed	Password attacks
4776	NTLM authentication	Legacy auth, Pass-the-Hash

Privilege Changes

Event ID	Description	Investigation Relevance
4728	Member added to security group	Privilege escalation
4729	Member removed from security group	Access revocation, cover-up
4732	Member added to local group	Local privilege escalation
4733	Member removed from local group	Access changes
4756	Member added to universal group	Enterprise-wide access
4757	Member removed from universal group	Access changes

Object & Policy Changes

Event ID	Description	Investigation Relevance
4662	Object access operation	DCSync detection, AD object access
4663	Object access attempted	File/folder access
4670	Permissions changed on object	ACL modification
4713	Kerberos policy changed	Security policy tampering
4719	System audit policy changed	Audit evasion
4739	Domain policy changed	Domain-wide changes
4780	ACL set on admin accounts	AdminSDHolder modification
5136	Directory object modified	AD attribute changes
5137	Directory object created	New AD objects
5141	Directory object deleted	AD object removal

Service & Scheduled Task

Event ID	Description	Investigation Relevance
4697	Service installed	Persistence, privilege escalation
4698	Scheduled task created	Persistence mechanism
4699	Scheduled task deleted	Cover-up activity
4700	Scheduled task enabled	Activation of persistence
4702	Scheduled task updated	Modification of tasks

---

Investigation Workflows

Unauthorised Access Investigation

Objective: Determine if access was unauthorised, identify the access method, assess impact, and remediate.

Step 1: Initial Triage

1. Review the alert source and detection logic

2. Identify the account and resource accessed

3. Verify if access was expected/authorised

4. Check account type: user, service, admin, guest

5. Determine time of access vs. normal working hours

Step 2: Access Pattern Analysis

1. Query SigninLogs/SecurityEvent for account history

2. Compare current access to baseline behaviour

3. Check source IP, location, and device

4. Review authentication method used

5. Identify any Conditional Access policy bypasses

Step 3: Session Analysis

1. Determine session duration and activity

2. Query all resources accessed during session

3. Check for data access, downloads, or modifications

4. Review email activity if applicable

5. Examine file access patterns

Step 4: Authorisation Verification

1. Confirm account's authorised access level

2. Check group memberships and role assignments

3. Verify if access was within scope of permissions

4. Review any recent permission changes

5. Contact account owner if needed for verification

Step 5: Impact Assessment

1. Document all resources accessed

2. Identify sensitive data exposure

3. Check for data exfiltration indicators

4. Assess potential for lateral movement

5. Determine business impact

---

Domain Privilege Escalation Investigation

Objective: Detect and investigate attempts to gain elevated privileges within Active Directory.

Step 1: Identify Escalation Vector

1. Review MDI alerts for known attack patterns

2. Check for Kerberoasting/AS-REP Roasting indicators

3. Look for DCSync or replication anomalies

4. Review sensitive group membership changes

5. Check for delegation abuse

Step 2: Sensitive Group Monitoring

Critical Groups to Monitor:

Group	Risk	Detection Focus
Domain Admins	Critical	Any membership change
Enterprise Admins	Critical	Any membership change
Schema Admins	Critical	Any membership change
Administrators	Critical	Non-standard additions
Account Operators	High	Can create/modify accounts
Backup Operators	High	Can access any file
Server Operators	High	Can logon to DCs
Print Operators	High	Can load drivers on DCs
DnsAdmins	High	Can execute code on DCs
Group Policy Creator Owners	High	Can create GPOs

Step 3: DCSync Detection

1. Query for Directory Replication Service Access

2. Check 4662 events for replication GUIDs

3. Verify source is a legitimate domain controller

4. Review MDI alerts for DCSync detection

5. Check for DRSUAPI calls from non-DCs

Step 4: Kerberos Attack Detection

1. Review 4769 events for RC4 encryption (0x17)

2. Check for bulk TGS requests from single user

3. Look for AS-REQ without pre-auth (4768)

4. Monitor for ticket anomalies via MDI

5. Check for golden/silver ticket indicators

Step 5: GPO Abuse Detection

1. Query for GPO creation/modification events

2. Check for GPO links to sensitive OUs

3. Review script deployment via GPO

4. Look for scheduled task deployment

5. Monitor for software installation changes

---

Cloud Privilege Escalation Investigation

Objective: Detect and investigate privilege escalation within Entra ID and Microsoft 365.

Step 1: Role Assignment Analysis

1. Query AuditLogs for role assignment events

2. Identify who assigned the role and when

3. Verify the assignment was authorised

4. Check if proper approval workflow was followed

5. Review the user's other role assignments

Step 2: PIM Activity Review

1. Query for PIM role activations

2. Check justification provided for activation

3. Verify approval if required

4. Review activation duration

5. Analyse activity during activation period

Step 3: Application Consent Analysis

1. Query for OAuth consent grant events

2. Identify permissions granted

3. Check if admin consent was required/given

4. Review the application's reputation

5. Assess risk of granted permissions

Step 4: Service Principal Investigation

1. Review service principal permission changes

2. Check for credential/secret additions

3. Identify API permissions granted

4. Review owner assignments

5. Check for federation configurations

Step 5: Conditional Access Bypass

1. Review sign-ins that bypassed CA policies

2. Identify policy gaps or exclusions

3. Check for legacy authentication usage

4. Review named locations and trusted IPs

5. Assess device compliance bypasses

---

Local Privilege Escalation Investigation

Objective: Detect and investigate attempts to gain SYSTEM or admin privileges on endpoints.

Step 1: Process Analysis

1. Review DeviceProcessEvents for suspicious activity

2. Check for known escalation tools (mimikatz, etc.)

3. Analyse parent-child process relationships

4. Look for unusual SYSTEM process creation

5. Check for token manipulation indicators

Step 2: Service Exploitation Detection

1. Review service creation/modification events

2. Check for unquoted service paths

3. Look for writable service binaries

4. Review service account permissions

5. Check for DLL hijacking opportunities

Step 3: Scheduled Task Analysis

1. Query for task creation by non-admin users

2. Check for SYSTEM-level task execution

3. Review task actions and triggers

4. Look for suspicious task paths

5. Check for legacy AT jobs

Step 4: Exploit Indicators

1. Review MDE alerts for exploit detection

2. Check for kernel exploit indicators

3. Look for UAC bypass patterns

4. Review memory injection alerts

5. Check for driver loading anomalies

---

KQL Query Cheat Sheet

Privileged Account Monitoring

Privileged Logon Activity

// Monitor privileged account logons
let PrivilegedAccounts = dynamic(["admin", "administrator", "domain admin"]);
IdentityLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn has_any (PrivilegedAccounts) or AccountName has_any (PrivilegedAccounts)
| summarize 
    LogonCount = count(),
    UniqueDevices = dcount(TargetDeviceName),
    Devices = make_set(TargetDeviceName, 10),
    LogonTypes = make_set(LogonType)
    by AccountUpn, AccountName
| sort by LogonCount desc

Special Privileges Assigned (4672)

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4672
| where SubjectUserName !endswith "$"  // Exclude computer accounts
| summarize 
    PrivilegedLogons = count(),
    UniqueWorkstations = dcount(WorkstationName),
    Workstations = make_set(WorkstationName, 10)
    by SubjectUserName, SubjectDomainName
| sort by PrivilegedLogons desc

First-Time Privileged Access

let lookback = 30d;
let timeframe = 1d;
let baseline = SecurityEvent
| where TimeGenerated between (ago(lookback) .. ago(timeframe))
| where EventID == 4672
| summarize by SubjectUserName, SubjectDomainName;
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4672
| where SubjectUserName !endswith "$"
| join kind=leftanti baseline on SubjectUserName, SubjectDomainName
| project TimeGenerated, SubjectUserName, SubjectDomainName, WorkstationName, LogonType

---

Sensitive Group Changes

Domain Admin Group Modifications

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757)
| where TargetUserName in~ (
    "Domain Admins", 
    "Enterprise Admins", 
    "Schema Admins",
    "Administrators",
    "Account Operators",
    "Backup Operators")
| project 
    TimeGenerated,
    EventID,
    Action = case(
        EventID in (4728, 4732, 4756), "Member Added",
        EventID in (4729, 4733, 4757), "Member Removed",
        "Unknown"),
    TargetGroup = TargetUserName,
    MemberAdded = MemberName,
    ChangedBy = SubjectUserName,
    ChangedFrom = Computer
| sort by TimeGenerated desc

Entra ID Role Assignments

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Add member to role", "Add eligible member to role", "Add scoped member to role")
| extend 
    TargetUser = tostring(TargetResources[0].userPrincipalName),
    RoleName = tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue),
    InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| where RoleName has_any ("Global Administrator", "Privileged Role Administrator", "Security Administrator", "Exchange Administrator", "SharePoint Administrator")
| project TimeGenerated, OperationName, TargetUser, RoleName, InitiatedBy, Result

PIM Role Activations

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Add member to role completed (PIM activation)"
| extend 
    ActivatedBy = tostring(InitiatedBy.user.userPrincipalName),
    RoleName = tostring(TargetResources[0].displayName),
    Justification = tostring(AdditionalDetails[3].value)
| project TimeGenerated, ActivatedBy, RoleName, Justification, Result
| sort by TimeGenerated desc

---

Kerberos Attack Detection

Kerberoasting Detection

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| where ServiceName !endswith "$"  // Exclude computer accounts
| where TicketEncryptionType == "0x17"  // RC4 encryption
| summarize 
    RequestCount = count(),
    UniqueServices = dcount(ServiceName),
    Services = make_set(ServiceName, 20)
    by TargetUserName, IpAddress
| where RequestCount > 5 or UniqueServices > 3
| sort by RequestCount desc

AS-REP Roasting Detection

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4768
| where PreAuthType == "0"  // No pre-authentication
| where TargetUserName !endswith "$"
| project TimeGenerated, TargetUserName, IpAddress, ServiceName, TicketEncryptionType
| sort by TimeGenerated desc

Golden Ticket Indicators

// TGT requests with anomalies
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4768
| where TicketOptions has_any ("0x40810010", "0x60810010")  // Renewable, forwardable
| where TargetUserName !endswith "$"
| extend TicketLifetime = datetime_diff('hour', TicketExpiryTime, TimeGenerated)
| where TicketLifetime > 10  // Abnormally long lifetime
| project TimeGenerated, TargetUserName, IpAddress, ServiceName, TicketLifetime, TicketOptions

Silver Ticket / Service Ticket Anomalies

// TGS requests without corresponding TGT
let TGTRequests = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4768
| project TGTTime = TimeGenerated, TGTUser = TargetUserName, TGTClient = IpAddress;
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| join kind=leftanti TGTRequests on $left.TargetUserName == $right.TGTUser, $left.IpAddress == $right.TGTClient
| where ServiceName !endswith "$"
| project TimeGenerated, TargetUserName, ServiceName, IpAddress, TicketEncryptionType

---

DCSync & Replication Attacks

DCSync Detection

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4662
| where ObjectType contains "domainDNS"
| where Properties has_any (
    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",  // DS-Replication-Get-Changes
    "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",  // DS-Replication-Get-Changes-All
    "89e95b76-444d-4c62-991a-0facbeda640c")  // DS-Replication-Get-Changes-In-Filtered-Set
| where SubjectUserName !endswith "$"
| project TimeGenerated, SubjectUserName, SubjectDomainName, ObjectName, Properties, Computer
| sort by TimeGenerated desc

Defender for Identity - DCSync

IdentityDirectoryEvents
| where Timestamp > ago(7d)
| where ActionType == "Directory Service Replication"
| where DestinationDeviceName !contains "DC"
| project Timestamp, AccountDisplayName, DestinationDeviceName, TargetDeviceName, Application

---

ACL & Permission Abuse

AdminSDHolder Modification

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4780
| project TimeGenerated, SubjectUserName, SubjectDomainName, TargetUserName, Computer
| sort by TimeGenerated desc

Object Permission Changes

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4670
| where ObjectType has_any ("user", "group", "computer")
| project 
    TimeGenerated,
    SubjectUserName,
    ObjectName,
    ObjectType,
    OldSd,
    NewSd,
    Computer
| sort by TimeGenerated desc

Delegation Configuration Changes

// Detect changes to delegation settings
IdentityDirectoryEvents
| where Timestamp > ago(7d)
| where ActionType == "Attribute modified"
| where AdditionalFields has_any (
    "msDS-AllowedToDelegateTo",
    "msDS-AllowedToActOnBehalfOfOtherIdentity",
    "userAccountControl")
| project Timestamp, AccountDisplayName, TargetAccountDisplayName, AdditionalFields

---

Local Privilege Escalation

Token Manipulation Detection

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in (
    "CreateRemoteThreadApiCall",
    "OpenProcessApiCall",
    "DuplicateTokenApiCall",
    "ImpersonateLoggedOnUserApiCall")
| where InitiatingProcessFileName !in~ ("services.exe", "lsass.exe", "svchost.exe", "csrss.exe")
| project Timestamp, DeviceName, ActionType, 
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FileName, ProcessCommandLine

Suspicious Service Installation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName)
| extend ServicePath = tostring(parse_json(AdditionalFields).ServicePath)
| extend ServiceAccount = tostring(parse_json(AdditionalFields).ServiceAccount)
| where ServicePath !startswith "C:\\Windows\\System32"
    or ServiceAccount == "LocalSystem"
| project Timestamp, DeviceName, ServiceName, ServicePath, ServiceAccount, InitiatingProcessFileName

UAC Bypass Detection

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Fodhelper bypass
    (FileName =~ "fodhelper.exe" and InitiatingProcessFileName !~ "explorer.exe")
    // Eventvwr bypass
    or (FileName =~ "eventvwr.exe" and InitiatingProcessFileName !~ "explorer.exe")
    // Computerdefaults bypass
    or (FileName =~ "computerdefaults.exe" and InitiatingProcessFileName !~ "explorer.exe")
    // CMSTP bypass
    or (FileName =~ "cmstp.exe" and ProcessCommandLine has "/au")
    // WSReset bypass
    or (FileName =~ "wsreset.exe" and InitiatingProcessFileName !~ "explorer.exe")
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

Scheduled Task Privilege Escalation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ScheduledTaskCreated"
| extend TaskName = tostring(parse_json(AdditionalFields).TaskName)
| extend TaskContent = tostring(parse_json(AdditionalFields).TaskContent)
| where TaskContent has_any ("SYSTEM", "S-1-5-18", "NT AUTHORITY")
| where InitiatingProcessAccountSid !startswith "S-1-5-18"  // Not created by SYSTEM
| project Timestamp, DeviceName, TaskName, InitiatingProcessAccountName, InitiatingProcessFileName

---

OAuth & Application Abuse

Suspicious OAuth Consent Grants

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties[4].newValue)
| extend ConsentedBy = tostring(InitiatedBy.user.userPrincipalName)
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite", "Files.ReadWrite.All", "Directory.ReadWrite.All", "User.ReadWrite.All")
| project TimeGenerated, AppName, Permissions, ConsentedBy, Result

Application Permission Changes

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
    "Add app role assignment to service principal",
    "Add delegated permission grant",
    "Add application")
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, TargetApp, ModifiedBy, Result
| sort by TimeGenerated desc

Service Principal Credential Addition

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
    "Add service principal credentials",
    "Update application – Certificates and secrets management")
| extend AppName = tostring(TargetResources[0].displayName)
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, AppName, ModifiedBy, Result

---

Conditional Access & Access Policy

Conditional Access Policy Changes

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
    "Add conditional access policy",
    "Update conditional access policy",
    "Delete conditional access policy")
| extend PolicyName = tostring(TargetResources[0].displayName)
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, PolicyName, ModifiedBy, Result

Sign-ins Bypassing Conditional Access

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0  // Successful
| where ConditionalAccessStatus == "notApplied"
| where UserPrincipalName !has "#EXT#"  // Exclude guest accounts
| summarize 
    BypassCount = count(),
    UniqueApps = dcount(AppDisplayName),
    Apps = make_set(AppDisplayName, 10)
    by UserPrincipalName, IPAddress, Location
| where BypassCount > 5
| sort by BypassCount desc

Legacy Authentication Usage

SigninLogs
| where TimeGenerated > ago(7d)
| where ClientAppUsed in ("Exchange ActiveSync", "IMAP4", "POP3", "SMTP", "Other clients")
| summarize 
    LegacyAuthCount = count(),
    UniqueUsers = dcount(UserPrincipalName),
    Users = make_set(UserPrincipalName, 20)
    by ClientAppUsed, IPAddress
| sort by LegacyAuthCount desc

---

Lateral Movement Detection

Unusual Lateral Movement Patterns

IdentityLogonEvents
| where Timestamp > ago(24h)
| where LogonType in ("RemoteInteractive", "Network")
| summarize 
    TargetDevices = dcount(TargetDeviceName),
    DeviceList = make_set(TargetDeviceName, 50),
    LogonCount = count()
    by AccountUpn, bin(Timestamp, 1h)
| where TargetDevices > 5
| sort by TargetDevices desc

Pass-the-Hash / Pass-the-Ticket

IdentityLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Network"
| where Protocol in ("NTLM", "Kerberos")
| where isnotempty(FailureReason)
| summarize 
    FailedAttempts = count(),
    TargetDevices = dcount(TargetDeviceName),
    Reasons = make_set(FailureReason)
    by AccountUpn, Protocol
| where FailedAttempts > 10

---

Response Actions & Remediation

Immediate Containment Actions

Scenario	Action	Method
Compromised Privileged Account	Disable account	AD + Entra ID disable
Active Privilege Escalation	Isolate affected systems	MDE device isolation
DCSync Detected	Block source IP, disable account	Firewall + AD disable
Rogue Admin Account	Disable and remove from groups	AD + Entra ID
Malicious OAuth App	Revoke consent, disable app	Entra ID Enterprise Apps
Golden Ticket Suspected	Reset KRBTGT (twice)	AD KRBTGT reset script
Unauthorized Role Assignment	Remove role assignment	Entra ID / PIM

Privileged Account Remediation

Active Directory

# Disable compromised account
Disable-ADAccount -Identity "compromised_user"

# Remove from all privileged groups
$privilegedGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
foreach ($group in $privilegedGroups) {
    Remove-ADGroupMember -Identity $group -Members "compromised_user" -Confirm:$false
}

# Reset password
Set-ADAccountPassword -Identity "compromised_user" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempP@ssw0rd!" -Force)

# Force password change at next logon
Set-ADUser -Identity "compromised_user" -ChangePasswordAtLogon $true

# Check and remove any delegations
Get-ADUser "compromised_user" -Properties msDS-AllowedToDelegateTo | 
    Set-ADUser -Clear "msDS-AllowedToDelegateTo"

Entra ID

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "RoleManagement.ReadWrite.Directory"

# Block sign-in
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false

# Revoke all sessions
Revoke-MgUserSignInSession -UserId "user@domain.com"

# Remove from privileged roles
$userId = (Get-MgUser -UserId "user@domain.com").Id
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '$userId'"
foreach ($assignment in $roleAssignments) {
    Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id
}

# Remove from PIM eligible roles
$eligibleAssignments = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -Filter "principalId eq '$userId'"
# Review and remove as needed

KRBTGT Reset Procedure

⚠️ Warning: KRBTGT reset affects all Kerberos tickets in the domain. Plan carefully and reset twice with appropriate interval.

# Download and use the official Microsoft KRBTGT reset script
# https://github.com/microsoft/New-KrbtgtKeys.ps1

# First reset
.\New-KrbtgtKeys.ps1 -Mode 2

# Wait for replication (minimum 10 hours recommended, or 2x maximum ticket lifetime)
# Monitor for authentication issues

# Second reset (invalidates all tickets including any forged ones)
.\New-KrbtgtKeys.ps1 -Mode 2

OAuth Application Remediation

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Revoke OAuth consent for specific app
$servicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Malicious App'"
$grants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $servicePrincipal.Id
foreach ($grant in $grants) {
    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id
}

# Disable the application
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false

# Remove app role assignments
$appRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id
foreach ($assignment in $appRoleAssignments) {
    Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId $assignment.Id
}

---

Quick Reference Cards

Privilege Escalation Attack Identification

Attack	Key Indicators	Primary Detection
Kerberoasting	RC4 TGS requests, bulk service ticket requests	Event 4769, MDI
AS-REP Roasting	4768 without pre-auth, accounts with DONT_REQ_PREAUTH	Event 4768, MDI
DCSync	Replication from non-DC, 4662 with replication GUIDs	Event 4662, MDI
Golden Ticket	TGT anomalies, long lifetime, forged PAC	MDI, Event 4768
Silver Ticket	TGS without TGT, service ticket anomalies	MDI, Event 4769
Pass-the-Hash	NTLM from unusual source, network logon type	Event 4776, MDI
Pass-the-Ticket	Kerberos reuse across systems	MDI, correlation
GPO Abuse	GPO modification, link changes	Event 5136, 5137
AdminSDHolder	ACL modification on protected objects	Event 4780
Delegation Abuse	msDS-AllowedToDelegateTo changes	Event 5136, MDI

Critical AD Object GUIDs for Detection

GUID	Object/Permission	Risk
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2	DS-Replication-Get-Changes	DCSync
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2	DS-Replication-Get-Changes-All	DCSync
89e95b76-444d-4c62-991a-0facbeda640c	DS-Replication-Get-Changes-In-Filtered-Set	DCSync
00000000-0000-0000-0000-000000000000	All extended rights	Full control
00299570-246d-11d0-a768-00aa006e0529	User-Force-Change-Password	Password reset

Entra ID Critical Roles

Role	Risk Level	Monitor For
Global Administrator	Critical	Any assignment
Privileged Role Administrator	Critical	Any assignment
Security Administrator	High	Unusual assignment
Exchange Administrator	High	Mailbox access abuse
SharePoint Administrator	High	Data access abuse
Application Administrator	High	App permission abuse
Cloud Application Administrator	High	App permission abuse
Authentication Administrator	High	MFA/password bypass
User Administrator	Medium	Account creation

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Domain Admin compromise, DCSync confirmed, Golden Ticket, Global Admin compromise	Immediate - 15 min
🟠 High	Privileged account compromise, sensitive group changes, Kerberoasting success	30 min - 1 hour
🟡 Medium	Privilege escalation attempt blocked, suspicious privilege usage	4 hours
🟢 Low	Failed privilege escalation, reconnaissance activity	Next business day

Escalation Triggers

Condition	Escalation Level
Domain Admin/Global Admin compromised	DFIR + Identity Team + CISO
DCSync/Golden Ticket detected	DFIR + Identity Team
Multiple privileged accounts affected	Tier 2 SOC + DFIR
Kerberoasting with successful cracks	Tier 2 SOC
Sensitive group membership change	Tier 2 SOC
Unauthorized PIM activation	Tier 2 SOC
OAuth admin consent abuse	Tier 2 SOC + App Owner

Notification Requirements

Severity	Internal Notification	External Notification
Critical	CISO, CIO, Legal (1 hour)	Consider regulatory (24-72 hours)
High	Security Leadership (4 hours)	As required
Medium	SOC Manager (next shift)	N/A
Low	Standard reporting	N/A

---

MITRE ATT&CK Mapping

Privilege Escalation (TA0004)

Technique	ID	Description	Detection
Abuse Elevation Control Mechanism	T1548	UAC bypass, sudo abuse	DeviceProcessEvents
Access Token Manipulation	T1134	Token theft/impersonation	DeviceEvents
Boot or Logon Autostart	T1547	Persistence for priv code	DeviceRegistryEvents
Create or Modify System Process	T1543	Service/daemon creation	DeviceEvents
Domain Policy Modification	T1484	GPO modification	SecurityEvent 5136
Event Triggered Execution	T1546	WMI, accessibility features	DeviceEvents
Exploitation for Privilege Escalation	T1068	Kernel/software exploits	MDE Alerts
Hijack Execution Flow	T1574	DLL hijacking, path interception	DeviceProcessEvents
Process Injection	T1055	Code injection techniques	DeviceEvents
Scheduled Task/Job	T1053	Elevated task creation	DeviceEvents
Valid Accounts	T1078	Privileged account abuse	SigninLogs, IdentityLogonEvents

Credential Access (Related)

Technique	ID	Description	Detection
OS Credential Dumping	T1003	LSASS, SAM, DCSync	DeviceEvents, SecurityEvent 4662
Steal or Forge Kerberos Tickets	T1558	Golden/Silver ticket, Kerberoasting	SecurityEvent 4768/4769, MDI
Unsecured Credentials	T1552	Credentials in files/registry	DeviceFileEvents

Persistence (Related)

Technique	ID	Description	Detection
Account Manipulation	T1098	Add credentials, SSH keys	AuditLogs, SecurityEvent
Create Account	T1136	Local/domain/cloud accounts	SecurityEvent 4720, AuditLogs

---

Appendix: Investigation Commands

Active Directory Enumeration

# Find users with SPN (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
    Select-Object Name, SamAccountName, ServicePrincipalName

# Find users without pre-auth (AS-REP Roasting targets)
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth |
    Select-Object Name, SamAccountName, DoesNotRequirePreAuth

# Get members of privileged groups
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive | Select-Object Name, SamAccountName

# Check for unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
    Select-Object Name, DNSHostName, TrustedForDelegation

# Check for constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo |
    Select-Object Name, SamAccountName, msDS-AllowedToDelegateTo

# Find AdminSDHolder protected objects
Get-ADObject -Filter {AdminCount -eq 1} -Properties AdminCount | Select-Object Name, ObjectClass

# Check recent privileged group changes
Get-ADGroup -Identity "Domain Admins" -Properties whenChanged | Select-Object Name, whenChanged

ACL Analysis

# Get ACL for sensitive objects
Import-Module ActiveDirectory
$domain = (Get-ADDomain).DistinguishedName

# Domain object permissions
(Get-Acl "AD:\$domain").Access | Where-Object {$_.ActiveDirectoryRights -match "ExtendedRight"} |
    Select-Object IdentityReference, ActiveDirectoryRights, ObjectType

# AdminSDHolder permissions
$adminSDHolder = "CN=AdminSDHolder,CN=System,$domain"
(Get-Acl "AD:\$adminSDHolder").Access | Select-Object IdentityReference, ActiveDirectoryRights

# Check GPO permissions
Get-GPO -All | ForEach-Object {
    $gpo = $_
    $permissions = Get-GPPermission -Guid $gpo.Id -All
    $permissions | Select-Object @{N='GPO';E={$gpo.DisplayName}}, Trustee, Permission
}

Entra ID Investigation

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.Read.All", "AuditLog.Read.All", "RoleManagement.Read.All"

# Get all Global Administrators
$globalAdminRole = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id | ForEach-Object {
    Get-MgUser -UserId $_.Id | Select-Object DisplayName, UserPrincipalName
}

# Get recent role assignments
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add member to role'" -Top 50 |
    Select-Object ActivityDateTime, InitiatedBy, TargetResources

# Get service principals with high privileges
$appRoles = Get-MgServicePrincipal -All | ForEach-Object {
    $sp = $_
    $assignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id
    foreach ($assignment in $assignments) {
        [PSCustomObject]@{
            AppDisplayName = $sp.DisplayName
            AppRoleId = $assignment.AppRoleId
            PrincipalType = $assignment.PrincipalType
        }
    }
}

# Check OAuth consent grants
Get-MgOauth2PermissionGrant -All | Where-Object {$_.ConsentType -eq "AllPrincipals"} |
    Select-Object ClientId, Scope, ConsentType

Local Privilege Escalation Checks

# Check for unquoted service paths
Get-WmiObject -Class Win32_Service | Where-Object {
    $_.PathName -notlike '"*' -and 
    $_.PathName -like '* *' -and 
    $_.PathName -notlike 'C:\Windows\*'
} | Select-Object Name, PathName, StartMode

# Check AlwaysInstallElevated
$hklm = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
$hkcu = Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
if ($hklm.AlwaysInstallElevated -eq 1 -and $hkcu.AlwaysInstallElevated -eq 1) {
    Write-Warning "AlwaysInstallElevated is enabled - privilege escalation possible!"
}

# Check for writable service binaries
$services = Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -ne $null}
foreach ($service in $services) {
    $path = ($service.PathName -split '"')[1]
    if ($path -and (Test-Path $path)) {
        $acl = Get-Acl $path
        $writable = $acl.Access | Where-Object {
            $_.FileSystemRights -match "Write|FullControl" -and
            $_.IdentityReference -notmatch "SYSTEM|Administrators|TrustedInstaller"
        }
        if ($writable) {
            Write-Warning "Writable service binary: $path"
        }
    }
}

# Check scheduled tasks running as SYSTEM
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"} |
    Select-Object TaskName, TaskPath, @{N='Actions';E={$_.Actions.Execute}}

---

⚠️ Critical Reminder: Privilege escalation investigations often uncover broader compromise. Always assume lateral movement has occurred and expand investigation scope accordingly. When Domain Admin or Global Admin compromise is suspected, engage DFIR immediately and consider the entire environment potentially compromised.