Runas With Saved Credentials
Query
DeviceProcessEvents
| where FileName == "runas.exe"
// Collect the account under which the command would be executed by runas
| extend TargetAccount = extract(@'user:(.*?) ', 1, ProcessCommandLine)
// Detect commandlines that contain savedcred this line can be removed to display all runas commands
| where ProcessCommandLine contains "/savecred"
| project TimeGenerated, DeviceName, TargetAccount, ProcessCommandLineAbout this query
Explanation
This query is designed to detect instances where the "runas" command is used with saved credentials on a device. The "runas" command allows a user to run a program as another user, and the "/savecred" option allows the credentials to be saved for future use without re-entering the password. This can be a security risk if an attacker uses it to escalate privileges.
Here's a simple breakdown of what the query does:
-
Target Process: It looks for events where the "runas.exe" program is executed. This program is used to run commands with different user credentials.
-
Extract Target Account: It extracts the username under which the command is being executed from the command line details.
-
Filter for Saved Credentials: It specifically filters for instances where the "/savecred" option is used. This option allows the credentials to be saved, which can be exploited for privilege escalation.
-
Output: The query outputs the timestamp of the event, the name of the device where it occurred, the target account being used, and the full command line that was executed.
This query helps in identifying potential security risks by highlighting when saved credentials are used with the "runas" command, which could indicate an attempt to bypass access controls or escalate privileges.
