Enterprise EDR: Is There A Search For Processes That Were Elevated By Any Privileged Account
book
Article ID: 285422
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to find which processes were run by a privileged account
Environment
Enterprise EDR Console (Formerly CB ThreatHunter): April 27, 2020 Release
Enterprise EDR Sensor: All Supported Versions
Microsoft Windows: All Supported Versions
Resolution
There is a search term to use, process_elevated, that when run it reports whether the process has ever been elevated via UAC.
Additional Information
By definition the search results are returned as all processes launched in an elevated state via the user access control (UAC) feature in Windows will be returned.