Privilege Escalation (TA0004)

Sub-technique: T1068 - Exploitation for Privilege Escalation

Objective: Detect exploitation attempts to gain higher privileges on the system.

1. Processes Running with Elevated Privileges

DeviceProcessEvents
| where ProcessIntegrityLevel == "High" or ProcessIntegrityLevel == "System"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Purpose: Identify processes running with elevated privileges.

1. Known Exploitation Tools

DeviceProcessEvents
| where ProcessCommandLine has_any ("mimikatz", "procdump", "secretsdump")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName

Purpose: Detect known exploitation tools.

1. New Driver Installation

DeviceDriverEvents
| where ActionType == "DriverInstalled"
| project Timestamp, DeviceName, DriverName, InitiatingProcessAccountName

Purpose: Monitor new driver installations that may be used for privilege escalation.

1. Kernel Module Load Events

DeviceImageLoadEvents
| where FileName endswith ".sys"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect loading of new kernel modules.

1. Exploitation via Process Injection

DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("inject", "reflective")
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify process injection attempts.

1. Detect UAC Bypass Attempts

DeviceProcessEvents
| where ProcessCommandLine has "bypassuac"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Monitor attempts to bypass User Account Control.

1. Privilege Escalation via Service Creation

DeviceProcessEvents
| where ProcessCommandLine has "sc create"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect service creation attempts that may be used for privilege escalation.

1. Detecting Usage of Exploit Mitigation Bypass

DeviceProcessEvents
| where ProcessCommandLine has_any ("exploit", "mitigation", "bypass")
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify attempts to bypass exploit mitigation controls.

1. Privilege Escalation Using Scheduled Tasks

DeviceProcessEvents
| where ProcessCommandLine has "schtasks /create"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Monitor for scheduled tasks used for privilege escalation.

1. Detect Privilege Escalation via Windows Installer

DeviceProcessEvents
| where ProcessCommandLine has "msiexec"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify privilege escalation attempts using Windows Installer.