← Back to SOC feed Coverage →

PUA - AdvancedRun Suspicious Execution

sigma HIGH SigmaHQ
T1134.002
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Detection Rule

Sigma (Original)

title: PUA - AdvancedRun Suspicious Execution
id: fa00b701-44c6-4679-994d-5a18afa8a707
related:
    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84
      type: similar
status: test
description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '/EXEFilename'
            - '/CommandLine'
    selection_runas:
        - CommandLine|contains:
              - ' /RunAs 8 '
              - ' /RunAs 4 '
              - ' /RunAs 10 '
              - ' /RunAs 11 '
        - CommandLine|endswith:
              - '/RunAs 8'
              - '/RunAs 4'
              - '/RunAs 10'
              - '/RunAs 11'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "/EXEFilename" or TargetProcessCommandLine contains "/CommandLine") and ((TargetProcessCommandLine contains " /RunAs 8 " or TargetProcessCommandLine contains " /RunAs 4 " or TargetProcessCommandLine contains " /RunAs 10 " or TargetProcessCommandLine contains " /RunAs 11 ") or (TargetProcessCommandLine endswith "/RunAs 8" or TargetProcessCommandLine endswith "/RunAs 4" or TargetProcessCommandLine endswith "/RunAs 10" or TargetProcessCommandLine endswith "/RunAs 11"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml