Tailscale user role updated

This rule is part of a beta feature. To learn more, contact Support.
tailscale

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

Set up the tailscale integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Tailscale user’s role is updated.

Strategy

This rule monitors Tailscale logs for when a user’s role is updated. This could be a privilege escalation vector for an attacker looking to bypass restrictions from a lower privileged user.

Triage and response

  1. Investigate the user {{@usr.email}} that performed the UPDATE action on user {{@target.name}}.
  2. Compare the previous roles {{@old}} with the new role updates containing the {{@new}} role and confirm that they should be assigned to the user {{@target.name}}.
  3. If the activity is deemed malicious:
    • Begin your organization’s incident response process and investigate.