Suspicious Privilege Escalation

Description

Triggered when an account with administrator privledges logs in (event code 4672) and is associated with another user logging in within the same time period.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring

Category

Lateral Movement, Endpoint Compromise

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 6

MITRE ATT&CK Tactics

Execution
Privilege Escalation

MITRE ATT&CK Techniques

PowerShell
Valid Accounts

MITRE Threat Groups

APT18
APT28
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
Wizard Spider
menuPass

Data Sources

Windows Security