An adversary may be attempting to escalate privileges within the environment to gain higher access levels and move laterally. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts early and prevent further compromise.
YARA Rule
rule escalate_priv {
meta:
author = "x0r"
description = "Escalade priviledges"
version = "0.1"
strings:
$d1 = "Advapi32.dll" nocase
$c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges"
condition:
1 of ($d*) and 1 of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator uses runas to execute a maintenance script with elevated privileges.
Filter/Exclusion: process.parent_process_name == "cmd.exe" AND process.command_line LIKE '%runas%'
Scenario: A scheduled job runs a PowerShell script to update software using Invoke-Command with -Credential.
Filter/Exclusion: process.name == "powershell.exe" AND process.command_line LIKE '%Invoke-Command%'
Scenario: A database administrator uses sqlcmd to run a script with elevated permissions for routine backups.
Filter/Exclusion: process.name == "sqlcmd.exe" AND process.command_line LIKE '%BACKUP DATABASE%'
Scenario: A DevOps engineer uses sudo to execute a deployment script on a Linux server.
Filter/Exclusion: process.name == "sudo" AND process.parent_process_name == "bash" AND process.command_line LIKE '%deployment_script.sh%'
Scenario: A user runs a legitimate third-party tool like 7-Zip with elevated privileges to extract a large archive.
Filter/Exclusion: process.name == "7z.exe" AND process.command_line LIKE '%x %' (for extract command)