Techniques
Sample rules
Splunk Edit User Privilege Escalation
- source: splunk
- technicques:
- T1548
Description
A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
Detection logic
`audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user)
| stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user
| `splunk_edit_user_privilege_escalation_filter`