I am working on an intrusion detection system which can prioritize and attribute the logs generated by OSSEC. So, how can I understand a privilege escalation case (or just the privileges a user has at that time) by looking at these logs?
Asked
Active
Viewed 306 times
1
-
What log sources are you analysing and what activity? Do you want to know how, by looking at logs alone, how someone increased their own privileges? I could say that it is simple: you look at the Windows AD logs and look for the event where a user's privs are changed. But I'm guessing that you are *really* looking for instances where someone *gains someone else's privileges*. And that is far trickier than you can imagine. – schroeder Oct 22 '17 at 08:44
-
You need to refine this question because as it stands, it is far too broad to answer. What logs? What activities? What does privilege escalation look like in the environment you are interested in? – schroeder Oct 22 '17 at 08:45