The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.

Local Privilege Escalation

Last updated: 2025-04-29 10:58:42

This document will guide you on how to view and handle privilege escalation event details, and how to create an allowlist to set permitted privilege escalation behaviors.

Background

Local privilege escalation happens when a user with a low privilege or an unprivileged user has access to a compromised machine and gains administrator or SYSTEM level privileges to fully control the machine. This behavior is likely to be a hacker attack, which can endanger the security of the host. The Anti-Local Privilege Escalation feature monitors privilege escalation events on your servers in real time, allows you to view the event details, handle the events, and create allowlist of permitted privilege escalation events.

Prerequisites

Local privilege escalation is only supported on Professional Version and flagship edition hosts. Basic version and unprotected hosts need to upgrade to the Professional Version or flagship edition to use this feature.

Operation Steps

Alarm List

1. Log in to the CWPP Console, select Intrusion Detection > Local Privilege Escalation from the left sidebar to enter the Alarm List tab for local privilege escalation.
2. In the Alarm List tab for local privilege escalation, you can view the list of local privilege escalation alarm events and perform related operations. You can view eight fields: hostname/Instance ID, ip, privilege escalation user, parent process, parent process user, discovery time, status, and actions (Details | to process). The list details can be customized.
Filter/Query: The local privilege escalation alarm list supports selecting dates to view corresponding alarm information, querying by keyword and tag (multiple keywords separated by vertical bar "|" and multiple filter tags separated by Enter key), and filtering events by status.

Customizing List Fields: At the top of the local privilege escalation alarm list, click

to set the list display fields. After selecting, click Yes to complete the setup.


Event Export: At the top of the local privilege escalation alarm list, click

to export the list.
Details > Alarm Details: In the operation bar on the right side of the local privilege escalation alarm list, click Details and select the Alarm Details tab to view alarm details.

Details > Process Tree: In the operation bar on the right side of the local privilege escalation alarm list, click Details and select the Process Tree tab to view details of the three latest processes in reverse chronological order.

Details > Event Investigation: In the operation bar on the right side of the local privilege escalation alarm list, click Details and select the Event Investigation tab to enter the Event Investigation of the corresponding host list.
Description
Windows machines do not support the event investigation feature currently.
Only the flagship edition supports the event investigation feature.
Mark as Processed: Supports single choice or multi-option of local privilege escalation alarm information. Manually handle the alarm, and after processing, mark the alarm as processed.


Add to Allowlists:
2.1 To add a local privilege escalation alarm event to the allowlist, click to process > Adding to the allowlist in the right action column of the alarm information list, or click Adding to the allowlist on the Details Page.


2.2 On the Add to Allowlist page, fill in the server range and click Yes to add the local privilege escalation alarm to the allowlist.


Ignore: Supports single choice or multi-option of local privilege escalation alarm information. Only the selected alarm will be ignored this time, and if the same situation occurs again, it will still trigger an alarm.
Delete Record (Proceed with Caution): Supports single choice or multi-option of local privilege escalation alarm information. Delete the selected alarm records, which will no longer be displayed on the console and cannot be recovered.


3. Click the hostname/Instance ID of the local privilege escalation alarm to view the details of the Intrusion Detection tab for that host list.



Allowlist Management

The Anti-Local Privilege Escalation feature supports adding an allowlist. By setting privilege escalation conditions in the allowlist, events that meet the conditions will be marked as allowlisted.
1. Log in to the CWPP Console, select Intrusion Detection > Local Privilege Escalation from the left sidebar to enter the Local Privilege Escalation page.
2. On the Local Privilege Escalation page, click Allowlist Management > Adding to the allowlist.


3. On the Adding to the allowlist page, set the privilege escalation conditions, including processes with S privileges and custom privilege escalation processes (supporting multiple process names separated by commas, e.g., 123.exe,test.exe). Also, select the server range covered by these conditions and click Yes.
Note
S permission: Set to grant the file the owner's permission during execution, equivalent to temporarily having the file owner's identity.
When both conditions are checked, both must be met to hit the allowlist.
If the server range is set to all servers, the allowlist condition will be trusted for all servers under the user's APPID. Please proceed with caution.

4. After setting, you can view the condition in the allowlist management list, and events in the Event List that meet this condition will be marked as allowlist events.
5. On the Allowlist Management page, you can filter, delete, and perform other operations on the allowlist.
Filter: Configured allowlists support filtering by keyword and Tag (multiple keywords separated by a vertical bar "|" and multiple filter Tags separated by the Enter key). Filtering by whether it has S permission is also supported.


Customize List Fields: At the top of the allowlist, click

to set the display fields of the list. After selecting, click Yes to successfully set it.


Edit: In the operation column on the right side of the target allowlist, click Edit to edit the created allowlist.
Delete: In the allowlist, single choice or multi-option deletion of configured allowlists is supported.