Query Details

Runas With Saved Credentials

Query

DeviceProcessEvents
| where FileName == "runas.exe"
// Collect the account under which the command would be executed by runas
| extend TargetAccount = extract(@'user:(.*?) ', 1, ProcessCommandLine)
// Detect commandlines that contain savedcred this line can be removed to display all runas commands
| where ProcessCommandLine contains "/savecred"
| project TimeGenerated, DeviceName, TargetAccount, ProcessCommandLine

About this query

Explanation

This query is designed to detect instances where the "runas" command is used with saved credentials on a device. The "runas" command allows a user to run a program as another user, and the "/savecred" option allows the credentials to be saved for future use without re-entering the password. This can be a security risk if an attacker uses it to escalate privileges.

Here's a simple breakdown of what the query does:

  1. Target Process: It looks for events where the "runas.exe" program is executed. This program is used to run commands with different user credentials.

  2. Extract Target Account: It extracts the username under which the command is being executed from the command line details.

  3. Filter for Saved Credentials: It specifically filters for instances where the "/savecred" option is used. This option allows the credentials to be saved, which can be exploited for privilege escalation.

  4. Output: The query outputs the timestamp of the event, the name of the device where it occurred, the target account being used, and the full command line that was executed.

This query helps in identifying potential security risks by highlighting when saved credentials are used with the "runas" command, which could indicate an attempt to bypass access controls or escalate privileges.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampNameTargetAccountCommandLine

Operators

DeviceProcessEventswhereextendextractcontainsproject

MITRE Techniques

Actions

GitHub