Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Access Token Manipulation - Create Process with Token

Back
Id8df80270-b4fa-4a7a-931e-8d17c0b321ae
RulenameAccess Token Manipulation - Create Process with Token
DescriptionThis query detects the use of the ‘runas’ command and checks whether the account used to elevate privileges isn’t the user’s own admin account.

Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.
SeverityMedium
TacticsPrivilegeEscalation
DefenseEvasion
TechniquesT1134.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CreateProcessWithToken.yaml
Version1.0.0
Arm template8df80270-b4fa-4a7a-931e-8d17c0b321ae.json
Deploy To Azure
let RunAsProcess=DeviceProcessEvents
    | where FileName =~ "runas.exe" 
    // You can choose to filter out the local admin account. This is based on convention. Here, we assume that localadmin accounts
    // end with _ladmin (RID 500 / LAPS).
    | where not(AccountName has_any("_ladmin"))
    // De-obfuscate the commandline used. 
    | extend CleanProcessCommandLine=parse_command_line(tostring(ProcessCommandLine), "windows")
    // Exclude a user running something on their system through their admin account.
    | where CleanProcessCommandLine !contains strcat(AccountName, "_adm") // Replace this with your admin account naming convention.
    // Exclude local admin account activities by, for instance, the servicedesk that uses the LAPS provisioned account. This is optional. 
    // Disable the line below if the number of false positives is acceptable. 
    | where not(CleanProcessCommandLine has_any (":_ladmin")) // Replace this with your local RID500/LAPS account.
    // Extract the username for the elevation action.
    | extend ElevatedAccountName=extract("user:([a-zA-Z0-9\\\\]+)",1,tostring(CleanProcessCommandLine))
    // Strip the domain suffix.
    | extend CleanElevatedAccountName= trim("(.*\\\\)",ElevatedAccountName);
RunAsProcess
| join kind=leftouter ( 
    DeviceLogonEvents
    | project-rename CleanElevatedAccountName = AccountName
    ) on CleanElevatedAccountName,DeviceId
| project-rename ElevatedActionType=ActionType1,ElevatedAccountSid=AccountSid1
| project TimeGenerated,DeviceId,DeviceName,FileName,FolderPath,ProcessCommandLine,SHA256,ProcessIntegrityLevel,AccountDomain,AccountName,AccountSid, LogonId, InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,CleanProcessCommandLine,ElevatedAccountName,CleanElevatedAccountName,ElevatedActionType,LogonType,ElevatedAccountSid
kind: Scheduled
relevantTechniques:
- T1134.002
description: |
  This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. 
  Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.  
queryPeriod: 1h
queryFrequency: 1h
tactics:
- PrivilegeEscalation
- DefenseEvasion
name: Access Token Manipulation - Create Process with Token
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceLogonEvents
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
triggerThreshold: 0
version: 1.0.0
id: 8df80270-b4fa-4a7a-931e-8d17c0b321ae
query: |
  let RunAsProcess=DeviceProcessEvents
      | where FileName =~ "runas.exe" 
      // You can choose to filter out the local admin account. This is based on convention. Here, we assume that localadmin accounts
      // end with _ladmin (RID 500 / LAPS).
      | where not(AccountName has_any("_ladmin"))
      // De-obfuscate the commandline used. 
      | extend CleanProcessCommandLine=parse_command_line(tostring(ProcessCommandLine), "windows")
      // Exclude a user running something on their system through their admin account.
      | where CleanProcessCommandLine !contains strcat(AccountName, "_adm") // Replace this with your admin account naming convention.
      // Exclude local admin account activities by, for instance, the servicedesk that uses the LAPS provisioned account. This is optional. 
      // Disable the line below if the number of false positives is acceptable. 
      | where not(CleanProcessCommandLine has_any (":_ladmin")) // Replace this with your local RID500/LAPS account.
      // Extract the username for the elevation action.
      | extend ElevatedAccountName=extract("user:([a-zA-Z0-9\\\\]+)",1,tostring(CleanProcessCommandLine))
      // Strip the domain suffix.
      | extend CleanElevatedAccountName= trim("(.*\\\\)",ElevatedAccountName);
  RunAsProcess
  | join kind=leftouter ( 
      DeviceLogonEvents
      | project-rename CleanElevatedAccountName = AccountName
      ) on CleanElevatedAccountName,DeviceId
  | project-rename ElevatedActionType=ActionType1,ElevatedAccountSid=AccountSid1
  | project TimeGenerated,DeviceId,DeviceName,FileName,FolderPath,ProcessCommandLine,SHA256,ProcessIntegrityLevel,AccountDomain,AccountName,AccountSid, LogonId, InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,CleanProcessCommandLine,ElevatedAccountName,CleanElevatedAccountName,ElevatedActionType,LogonType,ElevatedAccountSid  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CreateProcessWithToken.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8df80270-b4fa-4a7a-931e-8d17c0b321ae')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8df80270-b4fa-4a7a-931e-8d17c0b321ae')]",
      "properties": {
        "alertRuleTemplateName": "8df80270-b4fa-4a7a-931e-8d17c0b321ae",
        "customDetails": null,
        "description": "This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. \nAdditionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.\n",
        "displayName": "Access Token Manipulation - Create Process with Token",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CreateProcessWithToken.yaml",
        "query": "let RunAsProcess=DeviceProcessEvents\n    | where FileName =~ \"runas.exe\" \n    // You can choose to filter out the local admin account. This is based on convention. Here, we assume that localadmin accounts\n    // end with _ladmin (RID 500 / LAPS).\n    | where not(AccountName has_any(\"_ladmin\"))\n    // De-obfuscate the commandline used. \n    | extend CleanProcessCommandLine=parse_command_line(tostring(ProcessCommandLine), \"windows\")\n    // Exclude a user running something on their system through their admin account.\n    | where CleanProcessCommandLine !contains strcat(AccountName, \"_adm\") // Replace this with your admin account naming convention.\n    // Exclude local admin account activities by, for instance, the servicedesk that uses the LAPS provisioned account. This is optional. \n    // Disable the line below if the number of false positives is acceptable. \n    | where not(CleanProcessCommandLine has_any (\":_ladmin\")) // Replace this with your local RID500/LAPS account.\n    // Extract the username for the elevation action.\n    | extend ElevatedAccountName=extract(\"user:([a-zA-Z0-9\\\\\\\\]+)\",1,tostring(CleanProcessCommandLine))\n    // Strip the domain suffix.\n    | extend CleanElevatedAccountName= trim(\"(.*\\\\\\\\)\",ElevatedAccountName);\nRunAsProcess\n| join kind=leftouter ( \n    DeviceLogonEvents\n    | project-rename CleanElevatedAccountName = AccountName\n    ) on CleanElevatedAccountName,DeviceId\n| project-rename ElevatedActionType=ActionType1,ElevatedAccountSid=AccountSid1\n| project TimeGenerated,DeviceId,DeviceName,FileName,FolderPath,ProcessCommandLine,SHA256,ProcessIntegrityLevel,AccountDomain,AccountName,AccountSid, LogonId, InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,CleanProcessCommandLine,ElevatedAccountName,CleanElevatedAccountName,ElevatedActionType,LogonType,ElevatedAccountSid\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1134.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}