search cancel

A SEDR event user_name can be inconsistent

book

Article ID: 227784

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

In process launch events, the top level "user_name" field is expected to contain the user name from event_actor.user.name. Occasionally, it contains the target process' user name.

Cause

This data is taken directly from the Windows Operating System via the Symantec Endpoint Protection agent.  It happens in specific parent-child combinations, e.g. the svchost.exe system service starts savui.exe user process.

The top level user_name is the same as the process.user.name (DOMAIN\Administrator) but not equal to the event_actor.user.name (SYSTEM).

Example

"Process A launches process B”
There is an actor user name (ActorUserName) in this event. This user name is from the SID of the thread in process A that launches process B. That SID is not necessarily the same as process A's user name, e.g. in the case of impersonation.
In this event, process B will have a user name (TargetUserName). 

Later if Process B does some action, in that event,
There will be an actor user name(ActorUserName) also, and this user name is not necessarily the same as the user name of process B in the previous launching event.

For actor user names, we use the thread level user names to cover impersonation cases.

Environment

Release : 4.6

Component : Event schema, reporting

Resolution

The unexpected data comes directly from the Windows Operating System and shows how 'impersonation' works. The system service will launch child process on behalf of the logon user account.