Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query identifies UAC elevated processes by analyzing launches of consent.exe (the process that performs UAC elevation). The first parameter of consent.exe is the process ID being elevated, therefore we extract this value and use a combination of that ID and the DeviceId to join it with processes that ran UAC elevated on the device. Given that process IDs can be reused, a time filter is performed to ensure that the elevation request and the process launch occur within a specified period of
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| Tactics | Execution |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊