This event occurs when a user has escalated privilege to a higher privileged account.
Why this Event is Important
Mostly benign, but in some cases may indicate malicious activity—either an insider threat or an attacker employing a privilege escalation vulnerability.
After the initial compromise, a malicious actor typically needs to escalate privileges to move laterally in the network, execute malware, achieve persistence, etc. Escalating privilege usually indicates human intervention.
Identify the user and application to determine if the behavior is expected, for example, as part of a troubleshooting session. If the behavior is not expected, expand the time horizon and investigate pre and post-event user activity across the data center. Investigate further actions taken by the privileged account and look for indicators of persistence, such as new crontab entries, or the running of applications that require escalated privileges, such as interacting with sockets.
Determine if the privilege escalation was routine and benign. If it appears to be malicious, disable the user and take the necessary steps to restore any impacted hosts to a known, clean state.