SC-200 Sentinel – Privilege escalation attack – Simulation, detection and response

source: SC-200T00A-Microsoft-Security-Operations-Analyst

Part 1: Run the attack

In this guide we will simulate an attacker adding a new user on our victim machine, elevating the user to the administrator group. We will need to start cmd as administrator and run the following:

net user malicioususer1 /add
net user malicioususer1 ThePassword1!
net localgroup administrators malicioususer1 /add

Part 2: Create the KQL query

We will now need to create our KQL statement in order to obtain the desired information of the attack, based on the KQL statement we can go ahead and create an Analytical rule and configure it to create an alert or an incident.

In the following query we will use event ID “4732 – A member was added to a security-enabled local group”

We will use the following query provided by the Microsoft Lab used for this guide:

SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
| extend Acct = MemberSid, MachId = SourceComputerId  
| join kind=leftouter (
    SecurityEvent 
    | summarize count() by TargetSid, SourceComputerId, TargetUserName 
    | project Acct1 = TargetSid, MachId1 = SourceComputerId, UserName1 = TargetUserName) on $left.MachId == $right.MachId1, $left.Acct == $right.Acct1
| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName1

We can see we have a match in the last 24 hours

Part 3: Create Alert/Incident

We can now select + New alert rule > Create an Azure Sentinel alert

We will use the following settings:

Review and Save

Now that our Analytics rule is saved it will run every 5 minutes as per our configuration so we should have an incident

Part 4: Incident triage

Select all incidents pertaining to “SecurityEvent Local Administrators User Add”, click on actions

We will set Severity level to High, assign ownership to your self “Assign to me”, set status to Active

We can select the Owner tab and select “Assigned to me” in order to view only incidents assigned to you for further investigation

Select the incident to obtain details on affected entities such username and affected hostname

Go to view full details, we will add a comment “Investigating Admin user created on Device1VM”

In this case we know malicioususer1 is just a test user we created for this demo purpose,

We will go to our affected Windows 10 VM, go to Settings > Account > Other users

Here we can verify that effectively the user “malicioususer1” has been added as an Administrator – local account

We will remove the account from affected VM

Now that we have removed the suspicious user from our local admin group we can go back to Sentinel and close our Incident with the following:

Author: user

Leave a Reply

Your email address will not be published. Required fields are marked *