Privilege escalation often follows an initial foothold. Early identification and controlled response are critical to limit damage while preserving evidence.
Detection Indicators
-
New local admin accounts
-
Event ID 4672 (special privileges assigned)
-
Unexpected group membership changes
-
Suspicious scheduled tasks or services
Scope
-
Windows endpoints and servers
-
Local and domain-joined systems
Phase 1: Evidence Collection (READ-ONLY)
Document:
-
Account names
-
Creation timestamps
-
Logon source
Phase 2: Containment
-
Disable suspicious accounts
-
Isolate host from network if needed
-
Preserve logs before remediation
Phase 3: Validation
Review persistence mechanisms.
Phase 4: Recovery
-
Remove unauthorized privileges
-
Rotate credentials
-
Apply hardening baselines
Rollback
If containment actions were overly restrictive, restore access based on validated account ownership.
Leave a Reply