Query Details

Sentinel UEBA Privilege Escalation Detection

Query

// Sentinel UEBA Privilege Escalation Detection

// Here is a list of interesting privilege escalation articles I read over the past weeks and my thoughts on potential solution to monitor all these escalations:

// UnOAuthorized: Privilege Elevation Through Microsoft Applications
// https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/

// Abusing PIM-related application permissions in Microsoft Graph - Part 1
// https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-1/

// Abusing PIM-related application permissions in Microsoft Graph - Part 2
https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-2/

// Abusing PIM-related application permissions in Microsoft Graph - Part 3
// https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-3/

// Sentinel UEBA Detection:

Anomalies
| where TimeGenerated > ago(1h)
| where RuleName == "UEBA Anomalous Privilege Granted"
| where ActivityInsights.ActionUncommonlyPerformedInTenant == "True"

// #Sentinel #UEBA #PrivilegeEscalation

// MITRE ATT&CK Mapping

// Based on the query, the following MITRE ATT&CK techniques are relevant:

// Privilege Escalation (T1078):
// The query detects anomalous privilege grants, which can be associated with unauthorized access or privilege escalation attempts.
// Account Manipulation (T1098):
// The detection of uncommon actions related to privilege grants can indicate account manipulation activities.
// Credential Access (T1078):
// Unusual privilege grants might also be related to attempts to gain access to credentials or escalate privileges.

Explanation

This query is designed to detect potential privilege escalation activities using Microsoft Sentinel's User and Entity Behavior Analytics (UEBA). It focuses on identifying unusual privilege grants within the last hour. Here's a simplified breakdown:

  1. Time Frame: The query looks at data from the past hour.
  2. Detection Focus: It specifically searches for events labeled as "UEBA Anomalous Privilege Granted."
  3. Uncommon Actions: It filters for actions that are not commonly performed within the tenant, indicating potential suspicious activity.

The query is part of a broader effort to monitor and detect privilege escalation attempts, which can involve unauthorized access or manipulation of accounts. It is mapped to relevant MITRE ATT&CK techniques, highlighting its focus on identifying privilege escalation, account manipulation, and credential access attempts.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

Anomalies

Keywords

SentinelUEBAPrivilegeEscalationMicrosoftApplicationsGraphAnomaliesTimeGeneratedRuleNameActivityInsightsActionUncommonlyPerformedInTenantMITREATT&CKTechniquesAccountManipulationCredentialAccess

Operators

Anomalies|where>ago(1h)=="UEBA Anomalous Privilege Granted""True"

MITRE Techniques

Actions

GitHub