New RunAs Host / Privileged Account Combination

New RunAs Host / Privileged Account Combination


Privilege escalation (either via RunAs or Scheduled Tasks) create Windows Security EventID 4648 events. This search will find new usernames / host combinations, which will track privilege escalation.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring


Account Compromise, Zero Trust

Security Impact

Privileged escalation on a Windows endpoint is often done via scheduled tasks, the at command, or RunAs. Since malware often requires elevated privileges to install or to perform certain actions, any unusual occurrence of the 4648 event should be tracked. 4648 will always precede a 4624 event assuming that the escalation is successful. Sometimes you will see ‘consent.exe’ in the process name for the 4648 event - this is the UAC pop-up dialog.

Alert Volume


SPL Difficulty


Data Availability



Stage 1


Privilege Escalation

MITRE ATT&CK Techniques

Scheduled Task/Job
Valid Accounts

MITRE Threat Groups

Soft Cell
Night Dragon
Dragonfly 2.0
Wizard Spider
Threat Group-3390
Sandworm Team

Kill Chain Phases


Data Sources

Windows Security

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

You should not review these alerts directly (except for high sensitivity accounts or systems), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the creation, as well as the user account and system, credentials that were used, process executed and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted.


New RunAs Host / Privileged Account Combination Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of process launch with explicit credentials events (Windows Event ID 4648). We check the first time that's occurred per username, per host, and then alert if that was in the last day.

SPL for New RunAs Host / Privileged Account Combination

Demo Data

First we pull in our demo dataset.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

Here we start with our basic dataset of WinSecurity logs with Event ID 4648 (signifying "Run As" events).
Next we filter out the Windows System usernames, where this can occur frequently
Windows Security logs often include two usernames -- the acting username, and the target username. We want the latter (note that this hasn't been proven to work uniformly across all log sources, but it seems to work well for this scenario).
Finally we put it all in a table.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.