Privilege Escalation (TA0004) Techniques

Introduction

Investigating privilege escalation incidents forensically on workstations and server systems is critical in identifying how an attacker or malicious user gained elevated access. Privilege escalation can occur in various ways, such as exploiting system vulnerabilities, misconfigurations, or leveraging stolen credentials.

Understanding Privilege Escalation

• Vertical Escalation: Attacker gains higher-level privileges (e.g., regular user to administrator).

• Horizontal Escalation: Attacker expands access across accounts at the same privilege level.

• Common Techniques: Exploiting vulnerabilities, password cracking, manipulating user accounts, token manipulation, etc.

Data Collection and Preservation

• Forensic Imaging: Create forensic images of affected systems using tools like FTK Imager or dd.

• Memory Capture: Use tools like WinPmem or Magnet RAM Capture to capture live memory.

• Log Collection: Collect relevant logs, including security logs, system logs, application logs, and audit logs.

Initial Analysis and Identification

• Security Logs Analysis: Look for anomalous login activities, especially Event IDs 4624 (successful login), 4625 (failed login), and 4672 (special privileges assigned).

• Account Review: Examine user accounts for unauthorised creation, modification, or elevation of privileges.

• System and Application Logs: Check for logs indicating changes in system settings or application configurations that could lead to privilege escalation.

In-Depth Investigation

• Vulnerability Exploitation: Identify if any known vulnerabilities have been exploited for privilege escalation. Tools like Nessus or OpenVAS can help retrospectively identify vulnerabilities.

• Group Policy Analysis: Review group policies for misconfigurations that may have allowed privilege escalation.

• File and Registry Analysis: Look for unauthorised modifications in critical system files and registry entries that could indicate privilege changes.

Artifact Analysis

• Windows Registry: Investigate keys related to user accounts and privileges.

• Event Tracing Logs: Examine ETL files for evidence of privilege escalation activities.

• Scheduled Tasks: Check for any scheduled tasks created or modified by unauthorised users.

• Service Configuration: Analyse services to see if any have been modified to run with higher privileges.

Network Analysis (if applicable)

• Analyse network traffic for signs of lateral movement or external communications that might be related to the privilege escalation.

Use of Specialised Forensic Tools

• Forensic Suites: Tools like EnCase, X-Ways Forensics, or Autopsy for comprehensive analysis.

• Windows-specific Tools: Windows Event Viewer, Sysinternals Suite, AccessChk, and Process Monitor.

Documentation and Reporting

• Detailed Documentation: Document every step, including tools used, findings, and methodologies.

• Forensic Report: Prepare a comprehensive report detailing the privilege escalation incident and its impact.

Post-Investigation Actions

• Remediation and Mitigation: Implement necessary fixes, security updates, and policy changes.

• Recovery: Restore systems and data from backups if necessary.

• Lessons Learned: Conduct a review to improve security posture and response strategies.

Key Considerations

• Legal and Compliance: Ensure all investigative actions comply with legal and organisational guidelines.

• Chain of Custody: Maintain a clear chain of custody for all forensic evidence.

• Confidentiality and Integrity: Handle all data securely and maintain its integrity.

Each privilege escalation incident is unique and might require a customised approach. Tailor the investigation to the specifics of the case and the environment in which you are operating.

Using KQL to Investigate Privilege Escalation Activities in an Environment Using Defender/Sentinel

Privilege Escalation techniques allow adversaries to gain higher-level permissions on a system. These elevated privileges may be used to execute malicious actions, access sensitive data, or move laterally across the network.

1. T1055 - Process Injection

Objective: Detect attempts to inject code into the address space of another process to gain elevated privileges or evade detection.

1. Detect Remote Thread Injection

DeviceProcessEvents | where ProcessCommandLine has_any ("CreateRemoteThread", "NtCreateThreadEx", "QueueUserAPC") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify remote thread injection attempts used for privilege escalation.

1. Monitor for DLL Injection Techniques

DeviceProcessEvents | where ProcessCommandLine has_any ("LoadLibrary", "RtlCreateUserThread", "WriteProcessMemory") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect DLL injection techniques that may be used to gain elevated privileges.

1. Identify Process Hollowing Attempts

DeviceProcessEvents | where ProcessCommandLine has_any ("ZwUnmapViewOfSection", "SetThreadContext", "ResumeThread") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for process hollowing attempts where the memory of a legitimate process is replaced with malicious code.

1. Detect APC Injection

DeviceProcessEvents | where ProcessCommandLine has "NtQueueApcThread" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify APC (Asynchronous Procedure Call) injection used for executing code in the context of another process.

1. Monitor for PowerShell Injection Attempts

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has "Invoke-Expression" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect PowerShell commands attempting process injection for privilege escalation.

1. Identify Shellcode Injection

DeviceProcessEvents | where ProcessCommandLine has_any ("VirtualAllocEx", "WriteProcessMemory", "CreateRemoteThread") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for shellcode injection techniques.

1. Detect Process Doppelgänging

DeviceProcessEvents | where ProcessCommandLine has_any ("NtCreateTransaction", "TxF") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify process doppelgänging techniques that exploit NTFS transactions.

1. Monitor for Windows API Calls Related to Injection

DeviceProcessEvents | where ProcessCommandLine has_any ("NtMapViewOfSection", "SetThreadContext", "RtlCreateUserThread") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect Windows API calls commonly used in process injection techniques.

1. Identify Process Injection via Code Cavitation

DeviceProcessEvents | where ProcessCommandLine has_any ("ZwMapViewOfSection", "ZwCreateSection", "ZwCreateThreadEx") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for code cavitation, where code is injected into a remote process using lesser-known API functions.

1. Detect Hijacking of Process Execution

DeviceProcessEvents | where ProcessCommandLine has_any ("Image File Execution Options", "Debugger") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Image File Execution Options (IFEO) to hijack process execution for privilege escalation.

2. T1543 - Create or Modify System Process

Objective: Detect the creation or modification of system processes (e.g., services, daemons) to gain elevated privileges.

1. Detect New Service Creation with Elevated Privileges

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessAccountName == "SYSTEM" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine

Purpose: Identify the creation of new services running with elevated privileges.

1. Monitor for Modifications to Existing Services

DeviceServiceEvents | where ActionType == "ServiceModified" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect modifications to existing services that may be used for privilege escalation.

1. Identify Services Configured to Auto Start

DeviceServiceEvents | where ActionType == "ServiceInstalled" and ServiceStartType == "Auto" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for services configured to start automatically, potentially providing persistence with elevated privileges.

1. Detect Services Executing Suspicious Commands

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessCommandLine has_any ("powershell.exe", "cmd.exe", "wscript.exe") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify services executing commands commonly used for malicious activities.

1. Monitor for Services Running from Non-Standard Locations

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessFolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect services running executables from unusual or non-standard locations, which may indicate privilege escalation.

1. Identify Suspicious Service Names or Descriptions

DeviceServiceEvents | where ActionType == "ServiceInstalled" and (ServiceName has_any ("backdoor", "rat", "trojan") or ServiceDescription has_any ("backdoor", "rat", "trojan")) | project Timestamp, DeviceName, ServiceName, ServiceDescription, InitiatingProcessAccountName

Purpose: Monitor for services with suspicious names or descriptions that may indicate malicious intent.

1. Detect Service Installation by Non-Admin Accounts

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify services installed by non-administrative accounts.

1. Monitor for Service Execution Using System Accounts

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessAccountName == "SYSTEM" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine

Purpose: Detect services installed with the SYSTEM account, potentially indicating an attempt to gain SYSTEM-level privileges.

1. Identify Unusual Service Start Types

DeviceServiceEvents | where ActionType == "ServiceInstalled" and ServiceStartType in ("Manual", "DelayedAutoStart") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for services with unusual start types that may indicate malicious persistence mechanisms.

1. Detect Services Associated with Common Attack Tools

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessCommandLine has_any ("mimikatz", "metasploit", "cobalt strike") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify services installed with commands associated with common attack tools.

3. T1068 - Exploitation for Privilege Escalation

Objective: Detect the exploitation of vulnerabilities that allow an adversary to escalate privileges.

1. Detect Known Exploits for Privilege Escalation

DeviceProcessEvents | where ProcessCommandLine has_any ("CVE-2017-0144", "CVE-2018-8453", "CVE-2019-0841") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to exploit known vulnerabilities for privilege escalation.

1. Monitor for Exploit-Related Processes

DeviceProcessEvents | where ProcessCommandLine has_any ("exploit", "overflow", "buffer") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect processes related to exploitation activities.

1. Identify Unusual Kernel Driver Loads

DeviceDriverEvents | where DriverFileName has_any ("exploit.sys", "malware.sys") | project Timestamp, DeviceName, DriverFileName, DriverSigned

Purpose: Monitor for the loading of kernel drivers associated with exploitation.

1. Detect PowerShell Execution of Exploit Code

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Invoke-Exploit", "Invoke-Native") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell commands executing exploit code.

1. Monitor for Privilege Escalation via Exploited Services

DeviceServiceEvents | where ActionType == "ServiceModified" and InitiatingProcessCommandLine has_any ("exploit", "buffer") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect modifications to services that may indicate privilege escalation through exploitation.

1. Identify Exploit Attempts Targeting System Processes

DeviceProcessEvents | where ProcessCommandLine has_any ("lsass.exe", "winlogon.exe") and ProcessCommandLine has_any ("overflow", "exploit") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for exploit attempts targeting critical system processes.

1. Detect Use of Exploitation Frameworks

DeviceProcessEvents | where ProcessCommandLine has_any ("metasploit", "cobalt strike", "empire") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of exploitation frameworks commonly used for privilege escalation.

1. Monitor for Malicious Use of Debugging Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("windbg.exe", "ntsd.exe", "ollydbg.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of debugging tools that may be used to exploit vulnerabilities.

1. Identify Vulnerability Scanners Running on High Privileged Accounts

DeviceProcessEvents | where ProcessCommandLine has_any ("nmap", "nessus", "openvas") and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for vulnerability scanners running with elevated privileges, potentially used to identify exploitable vulnerabilities.

1. Detect Attempts to Exploit Privilege Escalation Vulnerabilities via Scripts

DeviceProcessEvents | where ProcessCommandLine has_any (".ps1", ".vbs", ".bat") and ProcessCommandLine has_any ("exploit", "elevation") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify scripts attempting to exploit privilege escalation vulnerabilities.

4. T1548 - Abuse Elevation Control Mechanism

Objective: Detect abuse of elevation control mechanisms (e.g., UAC bypass) to gain elevated privileges.

1. Detect UAC Bypass via Fodhelper

DeviceProcessEvents | where ProcessCommandLine has "fodhelper.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to bypass User Account Control (UAC) using Fodhelper.

1. Monitor for UAC Bypass via Event Viewer

DeviceProcessEvents | where ProcessCommandLine has "eventvwr.exe" and ProcessCommandLine has "mmc.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect UAC bypass attempts using the Event Viewer.

1. Identify UAC Bypass via ComputerDefaults

DeviceProcessEvents | where ProcessCommandLine has "ComputerDefaults.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for UAC bypass attempts using ComputerDefaults.

1. Detect UAC Bypass via SilentCleanup

DeviceProcessEvents | where ProcessCommandLine has "SilentCleanup" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify UAC bypass attempts using the SilentCleanup task.

1. Monitor for UAC Bypass via sdclt.exe

DeviceProcessEvents | where ProcessCommandLine has "sdclt.exe" and ProcessCommandLine has "Control_RunDLL" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect UAC bypass attempts using sdclt.exe.

1. Identify UAC Bypass via Registry Key Modification

DeviceRegistryEvents | where RegistryKey has "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for registry key modifications used in UAC bypass attacks.

1. Detect UAC Bypass via wscript.exe

DeviceProcessEvents | where ProcessCommandLine has "wscript.exe" and ProcessCommandLine has_any ("cscript", "vbscript") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify UAC bypass attempts using wscript.exe.

1. Monitor for UAC Bypass via DllHost.exe

DeviceProcessEvents | where ProcessCommandLine has "dllhost.exe" and ProcessCommandLine has_any ("comsvcs.dll", "mmc.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect UAC bypass attempts using DllHost.exe.

1. Identify UAC Bypass via Sysprep

DeviceProcessEvents | where ProcessCommandLine has "sysprep.exe" and ProcessCommandLine has "unattend.xml" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for UAC bypass attempts using the Sysprep tool.

1. Detect UAC Bypass via Task Scheduler

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has "/RL HIGHEST" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify UAC bypass attempts using the Task Scheduler with elevated privileges.

5. T1134 - Access Token Manipulation

Objective: Detect manipulation of access tokens to impersonate other users or escalate privileges.

1. Detect Token Impersonation Attempts

DeviceProcessEvents | where ProcessCommandLine has_any ("ImpersonateLoggedOnUser", "DuplicateTokenEx", "SetThreadToken") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to impersonate another user's token.

1. Monitor for Use of Mimikatz to Steal Tokens

DeviceProcessEvents | where ProcessCommandLine has_any ("mimikatz", "sekurlsa::pth", "sekurlsa::tspkg") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of Mimikatz to steal tokens for privilege escalation.

1. Identify Process Privilege Elevation via Token Duplication

DeviceProcessEvents | where ProcessCommandLine has_any ("DuplicateTokenEx", "CreateProcessWithTokenW") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for token duplication attempts that may indicate privilege escalation.

1. Detect Manipulation of Tokens via PowerShell

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Invoke-TokenManipulation", "Get-TokenPrivs") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell commands attempting token manipulation.

1. Monitor for Token Privileges Adjustments

DeviceProcessEvents | where ProcessCommandLine has_any ("AdjustTokenPrivileges", "SetTokenInformation") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect adjustments to token privileges that may be used to gain elevated access.

1. Identify Token Manipulation Using WinAPI Calls

DeviceProcessEvents | where ProcessCommandLine has_any ("OpenProcessToken", "SetTokenInformation", "AdjustTokenPrivileges") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for attempts to manipulate access tokens using Windows API calls.

1. Detect Token Manipulation by Non-Admin Accounts

DeviceProcessEvents | where ProcessCommandLine has_any ("DuplicateTokenEx", "ImpersonateLoggedOnUser") and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify token manipulation attempts by non-administrative users.

1. Monitor for Process Creation Using Stolen Tokens

DeviceProcessEvents | where ProcessCommandLine has "CreateProcessWithTokenW" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the creation of processes using stolen or duplicated tokens.

1. Identify Suspicious Token Privilege Enabling

DeviceProcessEvents | where ProcessCommandLine has_any ("SeDebugPrivilege", "SeImpersonatePrivilege") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for suspicious enabling of token privileges that may indicate an attempt to escalate privileges.

1. Detect Token Manipulation Using Third-Party Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("incognito", "privilege escalation") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify token manipulation attempts using third-party tools.

6. T1078 - Valid Accounts

Objective: Detect the use of valid accounts to gain elevated privileges.

1. Detect Use of Default or Well-Known Accounts

IdentityLogonEvents | where AccountDomain == "NT AUTHORITY" or AccountDomain == "BUILTIN" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify logons using default or well-known accounts that may be used for privilege escalation.

1. Monitor for Unusual Account Activity by Admin Users

IdentityLogonEvents | where AccountDomain != "NT AUTHORITY" and AccountDomain != "BUILTIN" | where AccountName endswith "admin" or AccountName endswith "administrator" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect unusual activity by accounts with administrative privileges.

1. Identify Logons Using Service Accounts

IdentityLogonEvents | where AccountName startswith "svc_" or AccountName endswith "_svc" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for logons using service accounts that may indicate privilege escalation.

1. Detect Lateral Movement Using Valid Accounts

IdentityLogonEvents | where LogonType == "RemoteInteractive" or LogonType == "Network" | where AccountName has_any ("admin", "administrator", "svc_") | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify lateral movement attempts using valid accounts.

1. Monitor for Logon Attempts by Non-Privileged Accounts

IdentityLogonEvents | where AccountName has_not_any ("admin", "administrator", "svc_") | where LogonType == "Interactive" or LogonType == "RemoteInteractive" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect logon attempts by non-privileged accounts that may be attempting privilege escalation.

1. Identify Attempted Use of Disabled or Expired Accounts

IdentityLogonEvents | where AccountEnabled == "false" or AccountExpires < now() | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for attempts to use disabled or expired accounts.

1. Detect Suspicious Use of Local Administrator Accounts

IdentityLogonEvents | where AccountName == "Administrator" and AccountDomain == "DeviceName" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify suspicious logon attempts using local Administrator accounts.

1. Monitor for Account Usage Outside of Normal Hours

IdentityLogonEvents | where LogonTime between (datetime(22:00:00) .. datetime(06:00:00)) | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect account usage outside of normal business hours that may indicate privilege escalation.

1. Identify Use of Stolen Credentials

IdentityLogonEvents | where LogonResult == "Failed" and AccountName has_any ("admin", "administrator", "svc_") | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for failed logon attempts that may indicate the use of stolen credentials.

1. Detect Use of Valid Accounts by Non-Standard Processes

DeviceProcessEvents | where InitiatingProcessAccountName has_any ("admin", "administrator", "svc_") | where ProcessCommandLine has_not_any ("cmd.exe", "powershell.exe", "explorer.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify use of valid accounts by processes that are not typically associated with administrative tasks.

7. T1547 - Boot or Logon Autostart Execution

Objective: Detect mechanisms that automatically execute code with elevated privileges upon boot or user logon.

1. Detect Modifications to Registry Run Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify changes to registry keys that execute programs at startup, which may be used for privilege escalation.

1. Monitor for New Entries in the Startup Folder

DeviceFileEvents | where FolderPath endswith "Startup" and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect new files added to the Startup folder that may be used to execute code with elevated privileges.

1. Identify Modifications to Winlogon Keys

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to Winlogon keys that may indicate privilege escalation attempts.

1. Detect Creation of New Services Set to Auto Start

DeviceServiceEvents | where ActionType == "ServiceInstalled" and ServiceStartType == "Auto" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of new services configured to start automatically, potentially providing elevated privileges.

1. Monitor for New Logon Scripts

DeviceFileEvents | where FolderPath has "Scripts\\Logon" and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect the creation of new logon scripts that may be used for privilege escalation.

1. Identify Modifications to the Shell Registry Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to the Shell registry key that can be used to persist elevated privileges.

1. Detect New DLLs Added to Startup Folders

DeviceFileEvents | where FolderPath endswith "Startup" and FileExtension == ".dll" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify DLL files added to startup folders for privilege escalation.

1. Monitor for Creation of WMI Event Subscriptions

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "EventFilter" and ProcessCommandLine has "create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the creation of WMI event subscriptions that can be used for persistent privilege escalation.

1. Identify Modifications to the Userinit Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to the Userinit registry key, which can be used to launch programs with elevated privileges at logon.

1. Detect Creation of Hidden Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" and ProcessCommandLine has "/RU SYSTEM" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of hidden or system-level scheduled tasks that may be used to persist elevated privileges.

8. T1055.001 - Dynamic-link Library Injection

Objective: Detect DLL injection techniques used to execute code in the context of another process, potentially with elevated privileges.

1. Detect DLL Injection Using LoadLibrary

DeviceProcessEvents | where ProcessCommandLine has "LoadLibrary" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of the LoadLibrary API for DLL injection.

1. Monitor for DLL Injection Using CreateRemoteThread

DeviceProcessEvents | where ProcessCommandLine has "CreateRemoteThread" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect attempts to inject DLLs using the CreateRemoteThread API.

1. Identify DLL Injection via NtMapViewOfSection

DeviceProcessEvents | where ProcessCommandLine has "NtMapViewOfSection" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for DLL injection attempts using the NtMapViewOfSection API.

1. Detect DLL Injection via AppInit_DLLs

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify modifications to the AppInit_DLLs registry key, which can be used for DLL injection.

1. Monitor for DLL Injection via SetWindowsHookEx

DeviceProcessEvents | where ProcessCommandLine has "SetWindowsHookEx" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect attempts to inject DLLs using the SetWindowsHookEx API.

1. Identify DLL Injection via RtlCreateUserThread

DeviceProcessEvents | where ProcessCommandLine has "RtlCreateUserThread" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for DLL injection attempts using the RtlCreateUserThread API.

1. Detect DLL Injection Using CreateProcessWithTokenW

DeviceProcessEvents | where ProcessCommandLine has "CreateProcessWithTokenW" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify DLL injection attempts using the CreateProcessWithTokenW API.

1. Monitor for DLL Injection via Code Cavitation

DeviceProcessEvents | where ProcessCommandLine has "ZwMapViewOfSection" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect code cavitation techniques where DLLs are injected using lesser-known API functions.

1. Identify DLL Injection via Process Hollowing

DeviceProcessEvents | where ProcessCommandLine has_any ("ZwUnmapViewOfSection", "NtCreateSection", "SetThreadContext") and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for DLL injection attempts using process hollowing techniques.

1. Detect DLL Injection via Malicious Services

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessCommandLine has ".dll" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify DLL injection attempts via malicious services.