this search may produce false positives as password changing actions may be part of normal behavior. operator will need to investigate these actions in order to discern exploitation attempts.

t1548
endpoint
splunk

Techniques

T1548

Sample rules

Splunk Edit User Privilege Escalation

source: splunk
technicques:
- T1548

Description

A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.

Detection logic

`audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) 
| stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user 
| `splunk_edit_user_privilege_escalation_filter`