Hello i have a question
Is there any rules to detect if any application run as administrator or if a user run the application as admin in windows machine ?
Hi @target_test - In Elastic SIEM, there is a default rule when you import from Elastic for "Unusual Windows User Privilege Elevation Activity". This job detects user privilege escalations which include "run as".
Check the prebuilt ML Jobs here - you will see the v3_windows_rare_user_runas_event at the bottom of the page.
and you can see the event json here
2 Likes
Thank you for the answer @eMitch, After i read page that you have included i found out it need ML to do the work (elastic platinum). Is there any other option other than upgrading to elastic platinum ?
Hey @target_test - Not that I'm aware of. Elastic Machine Learning requires Platinum licensing.
You could just make a custom Elastic SIEM rule to monitor it without ml, see https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
2 Likes
Thanks for the information
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.