How to check if Application run as administrator

Hello i have a question

Is there any rules to detect if any application run as administrator or if a user run the application as admin in windows machine ?

Hi @target_test - In Elastic SIEM, there is a default rule when you import from Elastic for "Unusual Windows User Privilege Elevation Activity". This job detects user privilege escalations which include "run as".

Check the prebuilt ML Jobs here - you will see the v3_windows_rare_user_runas_event at the bottom of the page.

and you can see the event json here

2 Likes

Thank you for the answer @eMitch, After i read page that you have included i found out it need ML to do the work (elastic platinum). Is there any other option other than upgrading to elastic platinum ?

Hey @target_test - Not that I'm aware of. Elastic Machine Learning requires Platinum licensing.

You could just make a custom Elastic SIEM rule to monitor it without ml, see https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

1 Like

Thanks for the information