Privilege Escalation Detection in Logs

AttackPatterns Multi-Platform Privilege Escalation

What This Means

Detect privilege escalation attacks in Windows and Linux logs. Identify unauthorized elevation from standard user to admin, token manipulation, and exploitation of misconfigurations.

Example Log

-- Windows privilege escalation indicators:
[4672] Special privileges assigned to jsmith (unexpected — not an admin)
[4688] jsmith ran: cmd.exe /c "net localgroup Administrators jsmith /add"
[4732] jsmith was added to Administrators group by jsmith
[4688] jsmith ran: powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"

-- Linux privilege escalation:
jsmith : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/bin/bash
kernel: jsmith[12345] used exploit CVE-2021-4034 to gain root

Indicators of Suspicious Activity

Event 4672 for accounts that should not have special privileges
Users adding themselves to privileged groups (Event 4732 with self-referencing subject)
Process creation (4688) running net localgroup to modify group membership
Sudo usage for commands outside the users authorized sudoers entries
SUID binary execution from unusual locations
UAC bypass techniques (fodhelper.exe, eventvwr.exe exploitation)
Token manipulation or impersonation detected by EDR

How to Investigate

Determine the initial privilege level of the account before escalation
Identify the escalation method (group modification, exploit, token manipulation, sudo abuse)
Check what actions were performed with the elevated privileges
Assess whether the escalation was authorized (emergency admin task) or unauthorized
Review for other compromised accounts that may have been used in the chain
Check for persistence mechanisms installed with elevated privileges

Recommended Mitigations

Enforce the principle of least privilege for all accounts
Implement Just-In-Time (JIT) privilege elevation instead of standing admin access
Monitor Event 4672 and 4732 for unauthorized privilege assignments
Configure sudo with strict command allowlists and logging
Keep systems patched to prevent kernel and SUID exploit escalation
Deploy EDR with token manipulation and UAC bypass detection

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 8 + 8?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Attack Patterns

Frequently Asked Questions

What is privilege escalation? ▼

Privilege escalation is when an attacker gains higher-level permissions than they are authorized for. Vertical escalation goes from user to admin. Horizontal escalation accesses another users resources at the same privilege level.

What are common Windows privilege escalation techniques? ▼

Common techniques: UAC bypass (fodhelper, eventvwr), token manipulation (SeImpersonatePrivilege abuse), unquoted service paths, DLL hijacking, always-install-elevated MSI, and kernel exploits.

How do I detect privilege escalation in real-time? ▼

Monitor Event 4672 (privilege assignment) for non-admin accounts, Event 4732 (group membership changes) for privilege groups, and Event 4688 (process creation) for known escalation tool signatures. EDR provides the deepest detection.