Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| ElevatedProcessPath | Paths to monitor for unsigned or unexpected elevated binaries |
| ParentProcessName | Parent-child execution chains that are suspicious in the local environment |
| TimeWindow | Time between registry modification and elevated process spawn |
Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | auditd:SYSCALL | setuid or setgid bit changes |
| Process Metadata (DC0034) | auditd:SYSCALL | execve with UID ≠ EUID |
| OS API Execution (DC0021) | auditd:SYSCALL | sudo or pkexec invocation |
| Field | Description |
|---|---|
| WatchedDirectories | Paths where unauthorized setuid binaries may be dropped |
| UserContext | Which users are allowed to run sudo/pkexec or modify binaries |
| TimeWindow | Duration between file permission change and elevated command execution |
Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | macos:unifiedlog | authorization execute privilege requests |
| Process Metadata (DC0034) | auditd:SYSCALL | execve with escalated privileges |
| Process Creation (DC0032) | fs:fsusage | binary execution of security_authtrampoline |
| Field | Description |
|---|---|
| WatchedBinaries | Specify binaries frequently targeted for privilege escalation |
| ExecutionParent | Which applications should never be allowed to spawn elevated processes |
Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | azure:signinLogs | unusual role assumption or elevation path |
| Field | Description |
|---|---|
| AuthorizedRoleMappings | Roles or groups that should never be assumed outside designated paths |
| TimeWindow | Time between assertion issuance and critical privilege use |
Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | AWS:CloudTrail | role privilege expansion detected |
| Process Metadata (DC0034) | AWS:CloudTrail | cross-account or unexpected assume role |
| Field | Description |
|---|---|
| PermittedRoleTransitions | Define valid transitions between IAM roles |
| CrossAccountBoundary | Should flag if assumption crosses trust boundary |