1. Home
  2. Detection Strategies
  3. Detection Strategy for Exploitation for Privilege Escalation

Detection Strategy for Exploitation for Privilege Escalation

Technique Detected:  Exploitation for Privilege Escalation | T1068

ID: DET0514
Domains: Enterprise
Analytics: AN1419, AN1420, AN1421, AN1422
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1419

Detects exploitation attempts targeting vulnerable kernel drivers or OS components, often followed by unusual process or token behavior.

Log Sources
Data Component Name Channel
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Mutable Elements
Field Description
DriverNamePattern Targeted BYOVD drivers may vary based on campaign and tooling.
TimeWindow Controls temporal linking of driver load → process spawn → privilege use.
ParentProcessPath Parent-child relationships vary by exploitation vector (e.g., LOLBin vs. dropper).

AN1420

Detects escalation via vulnerable setuid binaries or kernel modules, often chained with unusual access to /proc/kallsyms or /dev/kmem.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Process Access (DC0035) auditd:SYSCALL ACCESS
Module Load (DC0016) auditd:SYSCALL dmesg
Mutable Elements
Field Description
SetUIDBinaryList Legitimate SUID binaries vary across distributions; false positives may arise.
TimeWindow Allows chaining kernel module load with privilege spike or privilege-sensitive process activity.
EffectiveUIDThreshold Default is uid=0, but environments may vary with containerized root-like accounts.

AN1421

Detects use of vulnerable kernel extensions or entitlements abused via setuid or AppleScript injection chains.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process:exec and kext load events
Module Load (DC0016) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_KEXTLOAD
Mutable Elements
Field Description
EntitlementList Entitlements vary by app and OS version; some allow unexpected behavior.
TimeWindow Correlate SUID execution or AppleScript injection with privilege gain or module load.

AN1422

Detects container breakout behavior via exploitation (e.g., DirtyPipe, CVE-2022-0847), followed by host OS interaction or escalated capability assignment.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) auditd:SYSCALL capset or setns
Container Enumeration (DC0091) containerd:runtime e.g., containerd, Docker events
Mutable Elements
Field Description
NamespaceEscapePattern May vary with CVE technique or custom syscall wrapper.
TimeWindow Controls correlation of breakout → host interaction.