Detecting Privilege Escalation with Sysmon

Detecting Privilege Escalation with Sysmon

Privilege escalation is a critical stage in an attack, allowing adversaries to gain higher system privileges (e.g., NT AUTHORITY\SYSTEM) and execute malicious actions. Sysmon provides detailed monitoring capabilities to detect such activities by analyzing process executions, registry modifications, and network connections.

Common Privilege Escalation Techniques

1. Weak Service Permissions

Attack Vector: Exploiting weak service permissions to modify the service configuration.

Attack Steps:

  1. Service Enumeration: Identify services with misconfigured permissions using tools like accesschk.

  2. Modify Service Configuration: Change the ImagePath to point to a malicious binary.

  3. Start the Service: Execute the binary with SYSTEM privileges.

Sysmon Detection:

  • Event ID 13 - Registry Modification: Tracks changes to service configurations in the registry (ImagePath).

  • Event ID 1 - Process Creation: Logs the execution of malicious binaries.

  • Event ID 3 - Network Connection: Captures outbound connections from the malicious process.

Sample Sysmon Logs:

Registry Modification (Event ID 13):

UtcTime: 2024-11-12T14:00:00.000Z
TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\VulnerableService\ImagePath
Details: C:\malicious\reverse_shell.exe

Process Creation (Event ID 1):

UtcTime: 2024-11-12T14:01:00.000Z
Image: C:\malicious\reverse_shell.exe
ParentImage: C:\Windows\System32\services.exe

Network Connection (Event ID 3):

UtcTime: 2024-11-12T14:02:00.000Z
Image: C:\malicious\reverse_shell.exe
DestinationIp: 192.168.1.100
DestinationPort: 4444

2. Insecure Registry Permissions

Attack Vector: Modifying registry keys associated with services to execute malicious payloads.

Attack Steps:

  1. Identify Insecure Registry Keys: Find registry keys with weak permissions.

  2. Modify the ImagePath: Point the service to a malicious executable.

  3. Start the Service: Run the payload with SYSTEM privileges.

Sysmon Detection:

  • Event ID 13 - Registry Modification: Detects unauthorized changes to sensitive registry keys.

Sample Sysmon Logs:

Registry Modification (Event ID 13):

UtcTime: 2024-11-12T15:00:00.000Z
TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\InsecureService\ImagePath
Details: C:\malicious\payload.exe

3. Metasploit getsystem Command

Attack Vector: Using Metasploit’s built-in privilege escalation techniques.

Attack Steps:

  1. Execute getsystem: Automatically applies privilege escalation techniques.

  2. Create Temporary Services: Leverage service creation to gain SYSTEM privileges.

Sysmon Detection:

  • Event ID 1 - Process Creation: Detects command-line executions.

  • Event ID 13 - Registry Modification: Tracks registry changes related to new or modified services.

Sample Sysmon Logs:

Process Creation (Event ID 1):

UtcTime: 2024-11-12T16:00:00.000Z
Image: C:\Windows\System32\cmd.exe
ParentImage: C:\Windows\System32\services.exe

Registry Modification (Event ID 13):

UtcTime: 2024-11-12T16:01:00.000Z
TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\TempService\ImagePath
Details: C:\Windows\System32\cmd.exe

Sysmon Event ID Summary for Privilege Escalation Detection

Event ID

Description

Use Case

1

Process Creation

Track execution of suspicious processes.

13

Registry Object Added/Deleted/Modified

Detect changes to critical registry keys (e.g., service ImagePath).

3

Network Connection

Identify outbound connections from escalated processes (e.g., reverse shells).

Best Practices for Mitigating Privilege Escalation

  1. Harden Service and Registry Permissions:

    • Regularly audit permissions on services and registry keys.

    • Use tools like accesschk to identify weak configurations.

  2. Enable Sysmon with a Robust Configuration:

    • Use a tailored Sysmon configuration to monitor high-risk areas.

    • Filter noise by excluding known legitimate processes.

  3. Integrate with SIEM:

    • Forward Sysmon logs to a SIEM for correlation and alerting.

    • Set up real-time alerts for critical Event IDs (1, 13, 3).

  4. Monitor for Post-Exploitation Behavior:

    • Focus on lateral movement and privilege escalation indicators.

    • Combine Sysmon logs with other telemetry sources (e.g., Windows Event Logs).

Key Points

By leveraging Sysmon Event IDs and tailoring detection rules, security teams can effectively monitor and detect privilege escalation attempts. Combined with proactive auditing and real-time alerting, Sysmon provides robust visibility into malicious activities, enabling faster response and containment.

PreviousDetecting Pass The Hash with SysmonNextForensic Acquisition and Triage

Last updated