IR-010endpointv1.0.0

Privilege Escalation Detection and Response

⚠️ high⚠️ critical
Est. Time30m
📋 Steps10 steps
🔧 Tools5 required
🔗 Integrations5 platforms
📊 Avg Resolution60m
★ View on GitHub

🎯 MITRE ATT&CK

🔧 Tools Required

edrsiemidentity providerpam solutionactive directory

⚡ Triggers

edr_privilege_escalation_alertsiem_admin_group_changesiem_sudo_to_root_anomalywindows_event_4672windows_event_4673ad_group_membership_changesiem_uac_bypass_technique

🔌 Integrations

req

crowdstrike falcon

Privilege escalation behavioral detection and process tree analysis

opt

microsoft defender for endpoint

Alternative EDR — Windows-native privilege escalation detection

req

splunk

Windows Event Log correlation, AD event monitoring

opt

cyberark pam

Privileged Access Management — session recording and credential vaulting

req

azure active directory

Azure AD / on-prem AD — group membership and role assignment audit

Click each step to expand the full procedure, automation hints, and expected outputs.

Determine the privilege escalation method used: UAC bypass (common techniques: fodhelper, eventvwr, ComputerDefaults), token impersonation (SeImpersonatePrivilege), process injection into higher-privileged process, kernel exploit, sudo misconfiguration (Linux), SUID binary abuse (Linux), or direct AD group modification. Identify the affected user account — was this a standard user who escalated, or a service account? Is this a known-good administrator activity or clearly malicious?

⚡ Automation Hint

CrowdStrike: GET https://api.crowdstrike.com/detections/entities/summaries/GET/v1 {"ids": ["<detection_id>"]} Review detection technique field and process tree Windows Event Log: Get-WinEvent -FilterHashtable @{LogName='Security';Id=4672} | Where-Object {$_.Properties[1].Value -notlike "*Administrator*"} Linux: ausearch -m USER_ROLE_CHANGE -ts recent | grep -v "root"

📤 Outputs

escalation_techniqueescalation_usertarget_privilege_levelaffected_hostdetection_confidence