Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | FalconFriday |
| ID | 8df80270-b4fa-4a7a-931e-8d17c0b321ae |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | PrivilegeEscalation, DefenseEvasion |
| Techniques | T1134.002 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceLogonEvents |
✓ | ✗ | ? |
DeviceProcessEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊