This note documents detection patterns related to Privilege Escalation via Folder / Group Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4670 | Permissions on object changed | Critical | Core event when attacker modifies ACLs on folders, files, or privileged paths. |
| Security | 4663 | Object access | High | Detect write attempts to sensitive folders if auditing is enabled. |
| Security | 4688 | Process creation | Critical | Shows icacls, takeown, cmd, powershell, net localgroup, or payload execution. |
| Security | 4732 | Member added to local security-enabled group | Critical | Detects attacker adding account into Administrators or privileged local groups. |
| Security | 4728 | Member added to global security-enabled group | Critical | Domain group privilege escalation indicator. |
| Security | 4733 / 4729 | Member removed from group | Medium | Cleanup or privilege adjustment. |
| Sysmon | 1 | Process creation | Critical | Best execution source for ACL abuse and group manipulation commands. |
| Sysmon | 11 | File create | High | Payload dropped into writable privileged folder. |
| Sysmon | 13 | Registry value set | High | Often adjacent when folder abuse leads to persistence. |
| Sysmon | 12 | Registry object create/delete | Medium | Supports chained privilege escalation activity. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Writable service path | Non-admin write access under service binary directory | Critical | Classic privilege escalation primitive. |
| Weak ACL on startup folder | User can place executable in privileged startup path | High | Leads to execution at next logon. |
| Group membership spike | User suddenly joins Administrators / Backup Operators | Critical | Direct privilege escalation. |
icacls on system path | ACL changes under Program Files / Windows paths | Critical | Rare under normal user context. |
| Payload dropped into writable privileged folder | EXE/DLL appears before privileged execution | Critical | Strong escalation chain. |
takeown.exe usage | Ownership seizure before ACL modification | High | Common attacker preparation. |
| DLL planted in writable privileged folder | Hijack candidate | Critical | Often chained with service restart. |
| Abuse of Backup Operators / Print Operators | Non-admin account receives powerful delegated rights | High | Often overlooked escalation vector. |
Common Tools
| Tool | Usage |
|---|---|
| icacls.exe | Modify file/folder ACLs |
| takeown.exe | Take ownership of protected files |
| net.exe | Add user to local groups |
| net1.exe | Legacy group manipulation |
| PowerShell | ACL modification and group membership changes |
| whoami.exe | Privilege verification |
| accesschk.exe | Identify weak permissions |
| sc.exe | Restart service after replacing binary |
| custom DLL/EXE | Payload planted in writable privileged path |
Relevant Artifacts
- Security Event IDs 4670, 4663, 4732, 4728
- Sysmon Event ID 1
- Sysmon Event ID 11
- Prefetch:
ICACLS.EXE,TAKEOWN.EXE,NET.EXE - Amcache for dropped payloads
- ShimCache for execution history
- MFT / USN Journal for file replacement timeline
- Service Control Manager logs if service binary affected
- ACL metadata on disk
- Group membership snapshots
- EDR lineage for payload launch
MITRE ATT&CK References
- T1574 Hijack Execution Flow
- T1222 File and Directory Permissions Modification
- T1068 Exploitation for Privilege Escalation
- T1098 Account Manipulation
- T1548 Abuse Elevation Control Mechanism
Decision Tree
-
Was privileged folder or ACL modified?
- Check 4670
- Identify target path
-
Was group membership altered?
- Check 4732 / 4728
- Identify added principal
-
Was payload dropped?
- Check Sysmon 11
- Compare timestamps
-
Did privileged process execute attacker-controlled file?
- Service?
- Scheduled task?
- Startup path?
-
Expand:
- Parent process
- User context
- Adjacent persistence
-
Scope:
- Single host
- Domain spread
- Delegation abuse
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4670,4732,4728)
| project TimeGenerated, Computer, Account, EventID, ObjectName, TargetAccount
Sysmon
| where EventID == 1
| where CommandLine has_any ("icacls","takeown","net localgroup","Add-LocalGroupMember")
| project TimeGenerated, Computer, User, CommandLine, ParentImage
EQL
process where process.command_line like "*icacls*" or process.command_line like "*takeown*" or process.command_line like "*net localgroup*"
sequence by host.name with maxspan=5m
[ process where process.command_line like "*icacls*" ]
[ file where file.path like "C:\\Program Files\\*" ]
Sigma
title: Privilege Escalation Folder Or Group Abuse
id: 0f9d3a7e-folder-group-abuse
status: experimental
description: Detects ACL modification or privileged group abuse linked to escalation
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
detection:
selection:
EventID:
- 4670
- 4732
- 4728
condition: selection
fields:
- EventID
- ObjectName
- TargetAccount
falsepositives:
- Legitimate administration
level: high
tags:
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| ACL audits | Regularly review privileged folder ACLs | Critical | Detect weak paths early |
| Restrict group delegation | Limit who can alter privileged groups | Critical | Prevent silent escalation |
| Sysmon coverage | Enable process + file monitoring | Critical | Required visibility |
| Service binary hardening | Protect service paths | High | Common escalation target |
| WDAC / AppLocker | Restrict planted payload execution | High | Limits abuse |