# Detecting Privilege Escalation with Sysmon ## **Detecting Privilege Escalation with Sysmon** Privilege escalation is a critical stage in an attack, allowing adversaries to gain higher system privileges (e.g., NT AUTHORITY\SYSTEM) and execute malicious actions. Sysmon provides detailed monitoring capabilities to detect such activities by analyzing process executions, registry modifications, and network connections. *** ## **Common Privilege Escalation Techniques** ### **1. Weak Service Permissions** **Attack Vector:** Exploiting weak service permissions to modify the service configuration. **Attack Steps:** 1. **Service Enumeration:** Identify services with misconfigured permissions using tools like `accesschk`. 2. **Modify Service Configuration:** Change the `ImagePath` to point to a malicious binary. 3. **Start the Service:** Execute the binary with SYSTEM privileges. **Sysmon Detection:** * **Event ID 13** - **Registry Modification**: Tracks changes to service configurations in the registry (`ImagePath`). * **Event ID 1** - **Process Creation**: Logs the execution of malicious binaries. * **Event ID 3** - **Network Connection**: Captures outbound connections from the malicious process. **Sample Sysmon Logs:** **Registry Modification (Event ID 13):** ``` UtcTime: 2024-11-12T14:00:00.000Z TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\VulnerableService\ImagePath Details: C:\malicious\reverse_shell.exe ``` **Process Creation (Event ID 1):** ``` UtcTime: 2024-11-12T14:01:00.000Z Image: C:\malicious\reverse_shell.exe ParentImage: C:\Windows\System32\services.exe ``` **Network Connection (Event ID 3):** ``` UtcTime: 2024-11-12T14:02:00.000Z Image: C:\malicious\reverse_shell.exe DestinationIp: 192.168.1.100 DestinationPort: 4444 ``` *** ### **2. Insecure Registry Permissions** **Attack Vector:** Modifying registry keys associated with services to execute malicious payloads. **Attack Steps:** 1. **Identify Insecure Registry Keys:** Find registry keys with weak permissions. 2. **Modify the `ImagePath`:** Point the service to a malicious executable. 3. **Start the Service:** Run the payload with SYSTEM privileges. **Sysmon Detection:** * **Event ID 13** - **Registry Modification**: Detects unauthorized changes to sensitive registry keys. **Sample Sysmon Logs:** **Registry Modification (Event ID 13):** ``` UtcTime: 2024-11-12T15:00:00.000Z TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\InsecureService\ImagePath Details: C:\malicious\payload.exe ``` *** ### **3. Metasploit `getsystem` Command** **Attack Vector:** Using Metasploit’s built-in privilege escalation techniques. **Attack Steps:** 1. **Execute `getsystem`:** Automatically applies privilege escalation techniques. 2. **Create Temporary Services:** Leverage service creation to gain SYSTEM privileges. **Sysmon Detection:** * **Event ID 1** - **Process Creation**: Detects command-line executions. * **Event ID 13** - **Registry Modification**: Tracks registry changes related to new or modified services. **Sample Sysmon Logs:** **Process Creation (Event ID 1):** ``` UtcTime: 2024-11-12T16:00:00.000Z Image: C:\Windows\System32\cmd.exe ParentImage: C:\Windows\System32\services.exe ``` **Registry Modification (Event ID 13):** ``` UtcTime: 2024-11-12T16:01:00.000Z TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\TempService\ImagePath Details: C:\Windows\System32\cmd.exe ``` *** #### **Sysmon Event ID Summary for Privilege Escalation Detection** | **Event ID** | **Description** | **Use Case** | | ------------ | -------------------------------------- | ------------------------------------------------------------------------------ | | **1** | Process Creation | Track execution of suspicious processes. | | **13** | Registry Object Added/Deleted/Modified | Detect changes to critical registry keys (e.g., service `ImagePath`). | | **3** | Network Connection | Identify outbound connections from escalated processes (e.g., reverse shells). | *** ## **Best Practices for Mitigating Privilege Escalation** 1. **Harden Service and Registry Permissions:** * Regularly audit permissions on services and registry keys. * Use tools like `accesschk` to identify weak configurations. 2. **Enable Sysmon with a Robust Configuration:** * Use a tailored Sysmon configuration to monitor high-risk areas. * Filter noise by excluding known legitimate processes. 3. **Integrate with SIEM:** * Forward Sysmon logs to a SIEM for correlation and alerting. * Set up real-time alerts for critical Event IDs (1, 13, 3). 4. **Monitor for Post-Exploitation Behavior:** * Focus on lateral movement and privilege escalation indicators. * Combine Sysmon logs with other telemetry sources (e.g., Windows Event Logs). *** ## **Key Points** By leveraging **Sysmon Event IDs** and tailoring detection rules, security teams can effectively monitor and detect privilege escalation attempts. Combined with proactive auditing and real-time alerting, Sysmon provides robust visibility into malicious activities, enabling faster response and containment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/log-analysis-with-sysmon/detecting-privilege-escalation-with-sysmon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.