Enterprise EDR: Is There A Search For Processes That Were Elevated By Any Privileged Account
search cancel

Enterprise EDR: Is There A Search For Processes That Were Elevated By Any Privileged Account

book

Article ID: 285422

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to find which processes were run by a privileged account

Environment

  • Enterprise EDR Console (Formerly CB ThreatHunter): April 27, 2020 Release 
  • Enterprise EDR Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

There is a search term to use, process_elevated, that when run it reports whether the process has ever been elevated via UAC.

Additional Information

By definition the search results are returned as all processes launched in an elevated state via the user access control (UAC) feature in Windows will be returned.