Privilege Escalation
Detects privilege escalation attempts and dangerous elevation methods
16 rules in privilege_escalation.yml
CRITICAL: 5 | HIGH: 9 | MEDIUM: 2
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
ad_ | CRITICAL | AD Shadow Credentials (msDS-KeyCredentialLink Write) | Writes the msDS-KeyCredentialLink attribute on a user or computer object - the Shadow Credentials technique (Whisker/pyWhisker). An attacker who can write this attribute on a victim account can enroll a certificate and authenticate as the victim via PKINIT, obtaining a TGT without knowing the password. | |
setuid_ | CRITICAL | SetUID Binary Creation | Creating or modifying setuid binaries for privilege escalation | |
windows_ | CRITICAL | Windows Registry Enables AlwaysInstallElevated (MSI LPE Via Standard-User Install) | A task sets the Windows registry values HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1 AND/OR HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1 via win_regedit, reg add, Group Policy import, or ansible.windows.win_regedit. When BOTH keys are 1, Windows Installer runs every .msi invoked by any standard user with SYSTEM privileges - so a standard user runs msiexec /i payload.msi with a reverse-shell in a custom action and gets NT AUTHORITY\SYSTEM. This is the #1 Windows LPE technique in every OSCP / CTF writeup because it requires zero exploit code - just a poorly-crafted GPO. Microsoft has never changed the behavior (documented, ‘by design’) - the only fix is never enabling it. Detected by every commercial EDR as ‘T1548.002’, yet still present in 4-6% of enterprise GPO inventories per 2024 PingCastle reports. | |
windows_ | CRITICAL | Print Spooler service enabled on a domain controller (PrintNightmare / SpoolSample) | A task enables or starts the Print Spooler service (Spooler / spoolsv.exe) on a host that is a Domain Controller, typically via win_service: name=Spooler state=started enabled=yes, Set-Service -Name Spooler -StartupType Automatic, or sc config Spooler start= auto. Microsoft’s own hardening guidance (ADV200005, KB5005010, and the 2021 PrintNightmare / SpoolSample / SpoolSampleSSL bulletins) requires Print Spooler to be disabled on all DCs - the combination of unconstrained delegation + Print Spooler RPC enables T1187 Forced Authentication / SMB relay attacks that yield Domain Admin within minutes (the 2021-2024 SpoolSample, PrintNightmare CVE-2021-1675 / CVE-2021-34527, and the 2024 CVE-2024-38198 / 38226 Spooler chains). Matches Ansible win_service, PowerShell DSC Service, and registry Start under HKLM\\SYSTEM\\CurrentControlSet\\Services\\Spooler. | |
windows_ | CRITICAL | WDigest UseLogonCredential enabled (plaintext passwords in LSASS memory) | A task sets HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential = 1 (DWORD). This re-enables the pre-Windows 8.1 behavior where WDigest caches plaintext passwords in LSASS memory, enabling Mimikatz sekurlsa::wdigest to dump cleartext credentials of every interactively logged-on user. Microsoft disabled this by default in KB2871997 (May 2014); attackers flip it back on as their #1 credential-harvesting preparation step - documented in every major APT report (APT29, FIN6, Lazarus, UNC2452). Matches win_regedit, ansible.windows.win_regedit, reg add, Set-ItemProperty, and registry POL XML. | |
cron_ | HIGH | Cron Entry With Elevated Command | Installing cron entries that execute shells or arbitrary scripts as root | |
dangerous_ | HIGH | World-Writable Permissions on Sensitive Path | Setting any world-writable mode (octal ending in 2/3/6/7, symbolic +w / o+w / a+w / ugo+w / o=rwx) on system paths or invoking chmod / setfacl with those forms enables privilege escalation: any local user can replace the file’s contents. | |
service_ | HIGH | Service ExecStart Runs Arbitrary Shell | Systemd or init service executing a shell / interpreter with attacker-controlled content | |
sudo_ | HIGH | SUDO NOPASSWD Configuration | Configuring SUDO to not require password for privilege escalation | |
sudo_ | HIGH | Sudo with Shell Access | Granting sudo access to shell commands which can be dangerous | |
win_ | HIGH | Windows/AD User Added to Administrators or Domain Admins | ansible.windows.win_group / win_domain_group_membership / community.windows.win_domain_user adds a principal to a highly privileged local or domain group (Administrators, Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators). Direct membership grants Tier-0 authority in AD. | |
windows_ | HIGH | LSA Protection (RunAsPPL) disabled or explicitly removed | A task sets HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL = 0 (disabling LSA Protection) or deletes the value entirely. RunAsPPL=1 runs lsass.exe as a Protected Process Light, preventing non-PPL processes from opening a full-access handle to LSASS memory - this blocks Mimikatz sekurlsa::logonpasswords, procdump -ma lsass.exe, and comsvcs.dll MiniDump without a kernel-mode vulnerable-driver (BYOVD) bypass. Microsoft began enabling RunAsPPL by default on Windows 11 22H2+ and Server 2022; explicitly disabling or removing it is a clear privilege-escalation enabler and is the precursor to 80%+ of successful credential-dumping operations per 2024 Secureworks IR reports. | |
windows_ | HIGH | Grant of Sensitive Windows Token Privileges | Grants SeDebugPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, or SeBackupPrivilege to a service or user account. These privileges allow lsass access (credential theft), token impersonation (Potato-family attacks), or acting as SYSTEM - any of which is a domain-compromise primitive if granted to a low-trust account. | |
windows_ | HIGH | Windows Service Created With Unquoted BinaryPath Containing Spaces (LPE Primitive) | A task creates a Windows service (win_service, sc create, New-Service, CreateService API call) with a BinaryPathName / binPath / start_mode value that contains a space AND is NOT wrapped in quotes. Example: C:\Program Files\Acme\App Helper\service.exe (unquoted) - Windows parses this left-to-right, attempting C:\Program.exe, then C:\Program Files\Acme\App.exe, then the real path. An attacker who can write to C:\ (most restrictive NTFS default still lets Authenticated-Users write) or C:\Program Files\Acme\ (common on shared dev workstations) drops App.exe and Windows runs IT with the service’s (typically SYSTEM or LocalService) privileges on next boot. Detection tool: wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v '"'. Still prevalent in 2024: a single-digit percentage of third-party installers ship with this defect (notably: some VPN clients, a few vendor ‘agent’ services, several bundled OEM utilities). | |
become_ | MEDIUM | Unsafe Become Method | Using potentially unsafe become methods for privilege escalation | |
wheel_ | MEDIUM | Addition to Wheel Group | usermod -aG wheel or gpasswd -a |