mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
45 lines
1.3 KiB
Markdown
45 lines
1.3 KiB
Markdown
# API Reference: Detecting Privilege Escalation Attempts
|
|
|
|
## Windows Privilege Escalation Techniques
|
|
|
|
| Technique | MITRE ID | Detection |
|
|
|-----------|----------|-----------|
|
|
| UAC Bypass | T1548.002 | eventvwr.exe, fodhelper.exe |
|
|
| Token Manipulation | T1134 | SeDebugPrivilege (Event 4672) |
|
|
| Service Modification | T1543.003 | sc config binpath= |
|
|
| Potato Exploits | T1134.001 | JuicyPotato, PrintSpoofer |
|
|
| Scheduled Task | T1053.005 | schtasks /ru SYSTEM |
|
|
|
|
## Linux Privilege Escalation Techniques
|
|
|
|
| Technique | MITRE ID | Detection |
|
|
|-----------|----------|-----------|
|
|
| SUID Abuse | T1548.001 | find -perm 4000 |
|
|
| Sudo Exploitation | T1548.003 | sudo -l enumeration |
|
|
| Kernel Exploit | T1068 | DirtyPipe, PwnKit |
|
|
| Cron Abuse | T1053.003 | crontab modification |
|
|
|
|
## Key Windows Event IDs
|
|
|
|
| Event ID | Detection |
|
|
|----------|-----------|
|
|
| 4672 | Special Privileges Assigned |
|
|
| 4688 | Process Creation |
|
|
| Sysmon 1 | Process Create with cmdline |
|
|
|
|
## Splunk SPL
|
|
|
|
```spl
|
|
index=wineventlog (EventCode=4672 OR EventCode=4688)
|
|
| where match(PrivilegeList, "SeDebugPrivilege")
|
|
OR match(CommandLine, "(?i)(fodhelper|juicypotato)")
|
|
| table _time User CommandLine Computer
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --evtx-file Sysmon.evtx
|
|
python agent.py --text-log auth.log
|
|
```
|