Skip to content

Latest commit

 

History

History
40 lines (33 loc) · 1.9 KB

File metadata and controls

40 lines (33 loc) · 1.9 KB

Runas with saved credentials

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1134.002 Access Token Manipulation: Create Process with Token https://attack.mitre.org/techniques/T1134/002

Description

Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as runas. This query detects all commands that have been executed while using saved credentials. With savedcred the password only needs to be inserted once, after that the password can reused (for malicious purposes).

Risk

A actor can use saved credentials to gain privilige escallation.

References

Defender For Endpoint

DeviceProcessEvents
| where FileName == "runas.exe"
// Collect the account under which the command would be executed by runas
| extend TargetAccount = extract(@'user:(.*?) ', 1, ProcessCommandLine)
// Detect commandlines that contain savedcred this line can be removed to display all runas commands
| where ProcessCommandLine contains "/savecred"
| project Timestamp, DeviceName, TargetAccount, ProcessCommandLine

Sentinel

DeviceProcessEvents
| where FileName == "runas.exe"
// Collect the account under which the command would be executed by runas
| extend TargetAccount = extract(@'user:(.*?) ', 1, ProcessCommandLine)
// Detect commandlines that contain savedcred this line can be removed to display all runas commands
| where ProcessCommandLine contains "/savecred"
| project TimeGenerated, DeviceName, TargetAccount, ProcessCommandLine