MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1068: Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vulnerabilities: PT-CR-1719: PrivEsc_via_UAC_Elevated_Data: An attempt to elevate privileges to SYSTEM using an IFaultrepElevatedDataCollectionUAC utility
vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account
vulnerabilities: PT-CR-1994: CVE_2023_22515_Confluence: Exploitation of CVE-2023-22515 vulnerability in Confluence related to creation of accounts with administrator rights without authentication on the server
mitre_attck_execution: PT-CR-1908: Execute_over_WER_Service: Attackers can exploit a WER service vulnerability that allows spoofing an executable file and running an attackers' file with system privileges
mitre_attck_privilege_escalation: PT-CR-846: JuicyPotato_PrivEsc: Detects privilege escalation to the System user using the JuicyPotato or JuicyPotatoNG technique. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes.
mitre_attck_privilege_escalation: PT-CR-847: MultiPotato_PrivEsc: The MultiPotato tool is used to escalate privileges
vulnerabilities: PT-CR-2074: Subrule_CVE_2023_4911_GLIBC_Buffer_Overflow: Sabrul to rule CVE_2023_4911_GLIBC_Buffer_Overflow. The rule detects local privilege escalation via a buffer overflow. Attackers using the CVE-2023-4911 vulnerability can start SUID programs to execute code with elevated privileges
vulnerabilities: PT-CR-2078: CVE_2023_4911_GLIBC_Buffer_Overflow: The rule detects local privilege escalation via a buffer overflow. Attackers using the CVE-2023-4911 vulnerability can start SUID programs to execute code with elevated privileges
vulnerabilities: PT-CR-2469: CVE_2024_26229_CSC_Service_PrivEsc: Exploitation of vulnerability CVE-2024-26229 in the csc.sys offline files driver allows a low-privileged attacker to escalate their privileges to NT AUTHORITY/SYSTEM in the current command-line session. This can lead to the compromise of local and domain user accounts, as well as accounts of users who have previously accessed the host. By using the compromised data, the attacker can move laterally within the target infrastructure.
vulnerabilities: PT-CR-628: CVE_2021_41379_exploitation: Vulnerability CVE-2021-41379 was exploited
vulnerabilities: PT-CR-681: CVE_2022_26503_exploitation: Vulnerability CVE-2022-26503 was exploited
vulnerabilities: PT-CR-683: CVE_2022_26503_Subrule_2: Process Veeam.EndPoint.Service started another process
vulnerabilities: PT-CR-829: Certified_Priv_Esc_CVE_2022_26923: The domain privileges were escalated using vulnerability CVE-2022-26923 in Active Directory Certificate Services
vulnerabilities: PT-CR-849: PrintSpooler_PrivEsc: Privileges were escalated using a vulnerability in the print spooler service
vulnerabilities: PT-CR-850: PrintSpooler_PrivEsc_CVE_2022_30206: Privileges were escalated using vulnerability CVE-2022-30206 in the print spooler service
vulnerabilities: PT-CR-862: Subrule_StartProcess_And_Create_ConfigMsi: A user launched an application that is trying to create the system directory C:\Config.msi
vulnerabilities: PT-CR-863: Symlink_via_SpoolDirectory: A non-privileged user wrote using a link or the spooler service
vulnerabilities: PT-CR-889: LPE_7zip_CVE_2022_29072: Possible exploitation of vulnerability CVE-2022-29072 in 7-Zip for privilege elevation
vulnerabilities: PT-CR-890: Possible_CVE_2019_1388: Possible exploitation of vulnerability CVE-2019-1388
vulnerabilities: PT-CR-891: Possible_CVE_2020_1350: Possible exploitation of vulnerability CVE-2020-1350
vulnerabilities: PT-CR-892: Possible_CVE_2021_1647: Possible exploitation of vulnerability CVE-2021-1647 in Windows Defender
vulnerabilities: PT-CR-893: PrinterPort_Backdoor: Possible exploitation of vulnerability CVE-2020-1048 in Windows Print Spooler service
pt_nad: PT-CR-737: NAD_SAM_account_name_spoofing: A user requested a TGT
mitre_attck_privilege_escalation: PT-CR-851: Remote_Potato_Capture_Hash: The user's NTLM hash is captured using the RemotePotato technique
mitre_attck_privilege_escalation: PT-CR-852: Remote_Potato_Relay_Hash: The NTLM hash of a logged on user is captured using the RemotePotato technique
mitre_attck_privilege_escalation: PT-CR-853: RoguePotato_PrivEsc: Privileges are escalated using the RoguePotato technique
mitre_attck_privilege_escalation: PT-CR-855: Subrule_Action_After_Pipe_Connected: The MultiPopato tool is used to escalate privileges to local administrator or System
mitre_attck_privilege_escalation: PT-CR-857: Subrule_Elevated_Process_Run: A non-privileged user ran a process
mitre_attck_privilege_escalation: PT-CR-859: Subrule_IMarshal_Interface: Creation of an IMarshal interface is detected
mitre_attck_privilege_escalation: PT-CR-860: Subrule_Not_Self_Relay: An attempt to conduct an NTLM relay attack is detected
mitre_attck_privilege_escalation: PT-CR-861: Subrule_Pwned_Pipe: A process opened a suspicious pipe
unix_mitre_attck_privilege_escalation: PT-CR-1747: Unix_Exploiting_OverlayFS: Privilege escalation using the Linux kernel OverlayFS vulnerability (CVE-2023-0386)
mitre_attck_privilege_escalation: PT-CR-1212: PrintNotify_Potato: Privileges of a service account are escalated using the PrintNotifyPotato technique
mitre_attck_privilege_escalation: PT-CR-1217: RasMan_Potato: Local escalation of privileges from a service account to SYSTEM using the RasmanPotato technique is detected
mitre_attck_privilege_escalation: PT-CR-1218: Subrule_RasMan_Pipe: A subrule for local privilege escalation with Rasman Potato
mitre_attck_privilege_escalation: PT-CR-1353: PrivEsc_via_Comctl32: An exploitation of a logical error when creating a folder that requires administrator rights to access. This exploitation allows to elevate user's privilege level to SYSTEM when a specific trigger triggers.
mitre_attck_privilege_escalation: PT-CR-1933: GodPotato_PrivEsc: Privilege escalation using the GodPotato technique allows an attacker with the ImpersonatePrivilege privilege to escalate their privileges to the System user. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes.
mitre_attck_privilege_escalation: PT-CR-2063: CoercedPotato_PrivEsc: Attempt to use the CoercedPotato technique. Privilege escalation using the CoercedPotato technique allows attackers with the ImpersonatePrivilege privilege to escalate their privileges to the SYSTEM level. After that, attackers can use the compromised host to retrieve credentials of local users, and in some cases other users that accessed this host. This data will allow attackers to perform lateral movement in the infrastructure.
mitre_attck_privilege_escalation: PT-CR-2135: PetitPotato_PrivEsc: PetitPotato was used to escalate privileges
mitre_attck_privilege_escalation: PT-CR-2147: LocalPotato_PrivEsc: Privilege escalation with the LocalPotato technique by replacing the context during local NTLM authentication
mitre_attck_privilege_escalation: PT-CR-2148: Subrule_HTTP_request: A process sent an HTTP request and received a response from the system
mitre_attck_privilege_escalation: PT-CR-2241: Subrule_S4UTomato_IMarshal_Creation: A process with command line content typical of the S4UTomato utility created an IMarshal interface
mitre_attck_privilege_escalation: PT-CR-2242: S4UTomato_PrivEsc: The privileges of a service account were escalated to the SYSTEM level using the S4UTomato utility
active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: The user renamed the AD object or requested a TGT ticket on behalf of an account that matches the name of the domain controller. This may indicate a sAMAccountName spoofing attack. It can allow an attacker to obtain a TGT ticket, for example, in the name of a domain controller, gain a foothold in the system and increase their privileges
active_directory_attacks: PT-CR-837: KrbRelay_Usage: There are signs of using the KrbRelay or DavRelayUp utility, which allows you to use the lack of signature of LDAP requests to relay the authentication process and receive a TGS ticket for the SPN account on behalf of the administrator. After that, an attacker can elevate their privileges to a local administrator and execute malicious code on a compromised node
active_directory_attacks: PT-CR-838: ShadowCred_Used: The use of the msds-keycredentiallink attribute to authorize a machine account in a domain without using a password was detected. This is a sign of using KrbRelayUp to locally elevate privileges using Shadow Credentials. An attacker can use this to obtain the credentials of other users and horizontally move to other infrastructure nodes
mitre_attck_privilege_escalation: PT-CR-465: Spoolsv_Priv_Escalation: A suspicious behavior of the built-in Microsoft Windows utility "spoolsv" is detected
mitre_attck_privilege_escalation: PT-CR-466: Suspicious_Windows_Kernel_creating: A Windows NT operating system executable is created
active_directory_attacks: PT-CR-1203: Abuse_Kerberos_RC4: Possible exploitation of the CVE-2022-33679 vulnerability in Kerberos, which will allow attackers to obtain an authenticated session on behalf of the victim and execute arbitrary code on a compromised node. This may allow an attacker to extract the credentials of other users and move horizontally to other infrastructure nodes
active_directory_attacks: PT-CR-2298: Zerologon_Attack: Exploitation of vulnerability CVE-2020-1472 (Zerologon) that allows you to change passwords to domain controller accounts
sap_attack_detection: PT-CR-157: SAPASABAP_Start_critical_module: Start of a SAP critical functional module
sap_attack_detection: PT-CR-158: SAPASABAP_Start_critical_transaction: Start of SAP critical transaction

Detection

IDDS0027Data source and componentDriver: Driver LoadDescription

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode. Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications.

Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")

Mitigation

IDM1051NameUpdate SoftwareDescription

Update software regularly by employing patch management for internal enterprise endpoints and servers.

IDM1050NameExploit ProtectionDescription

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.

IDM1048NameApplication Isolation and SandboxingDescription

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.

IDM1019NameThreat Intelligence ProgramDescription

Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.

IDM1038NameExecution PreventionDescription

Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.