privilege_escalation_ml_windows_rare_user_runas_event.toml

[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2023/03/06"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can
indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas
are more commonly used by domain and network administrators than by regular Windows users.
"""
false_positives = [
    """
    Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user
    performing manual troubleshooting or reconfiguration.
    """,
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_windows_rare_user_runas_event"]
name = "Unusual Windows User Privilege Elevation Activity"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation"]
type = "machine_learning"

[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"