Unusual Privilege Type assigned to a User

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity.
 14This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs.
 15"""
 16from = "now-1h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user"
 20name = "Unusual Privilege Type assigned to a User"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "27569131-560e-441e-b556-0b9180af3332"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Privileged Access Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Privilege Escalation",
 53    "Resources: Investigation Guide"
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Unusual Privilege Type assigned to a User
 62
 63In modern IT environments, privilege management is crucial for maintaining security. Adversaries may exploit uncommon privilege types to perform unauthorized actions, bypassing standard detection. The detection rule leverages machine learning to identify deviations from normal privilege usage patterns, flagging potential privilege escalation attempts. By analyzing user behavior against established baselines, it helps detect and mitigate unauthorized access risks.
 64
 65### Possible investigation steps
 66
 67- Review the user's recent activity logs to identify any unusual or unauthorized actions associated with the uncommon privilege type.
 68- Cross-reference the identified privilege type with the user's role and responsibilities to determine if the usage is justified or anomalous.
 69- Check for any recent changes in the user's account settings or privilege assignments that could explain the deviation from the baseline.
 70- Investigate any recent system or application changes that might have introduced new privilege types or altered existing ones.
 71- Consult with the user's manager or relevant department to verify if there was a legitimate need for the unusual privilege type usage.
 72- Analyze the timeline of events leading up to the alert to identify any potential indicators of compromise or privilege escalation attempts.
 73
 74### False positive analysis
 75
 76- Users with multiple roles may trigger false positives if they occasionally use privileges associated with less common roles. Regularly review and update role-based access controls to ensure they reflect current responsibilities.
 77- Temporary project assignments can lead to unusual privilege usage. Implement a process to document and approve temporary privilege changes, and exclude these documented cases from triggering alerts.
 78- System administrators or IT staff might use uncommon privileges during maintenance or troubleshooting. Establish a whitelist for known maintenance activities and exclude these from the detection rule.
 79- Automated scripts or applications that require elevated privileges might be flagged. Ensure these scripts are registered and their privilege usage is documented, then exclude them from the rule.
 80- New employees or contractors may initially use privileges that seem unusual. Monitor their activity closely during the onboarding period and adjust baselines as their normal usage patterns become clear.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its credentials.
 85- Review and revoke any unusual or unnecessary privileges assigned to the user account to ensure it aligns with their normal operational requirements.
 86- Conduct a thorough audit of recent activities performed by the user account to identify any unauthorized actions or data access that may have occurred.
 87- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure coordinated response efforts.
 88- Implement additional monitoring on the affected user account and similar accounts to detect any further suspicious activities or privilege misuse.
 89- Update and reinforce access control policies to prevent similar privilege escalation attempts, ensuring that privilege assignments are regularly reviewed and validated.
 90- Document the incident details, response actions taken, and lessons learned to improve future incident response and privilege management processes."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1068"
 95name = "Exploitation for Privilege Escalation"
 96reference = "https://attack.mitre.org/techniques/T1068/"
 97
 98[[rule.threat.technique]]
 99id = "T1078"
100name = "Valid Accounts"
101reference = "https://attack.mitre.org/techniques/T1078/"
102
103[rule.threat.tactic]
104id = "TA0004"
105name = "Privilege Escalation"
106reference = "https://attack.mitre.org/tactics/TA0004/"```