LoFP / false positives may be generated by administrators installing benign applications using run-as/elevation.

| tstats `security_content_summariesonly`
  count min(_time) as firstTime

from datamodel=Endpoint.Processes where

Processes.process_integrity_level IN ("low","medium","high")
NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")

by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name
   Processes.process_path Processes.user Processes.user_id
   Processes.vendor_product


| `drop_dm_object_name(Processes)`

| eval join_guid = process_guid,
       integrity_level = CASE(
            match(process_integrity_level,"low"),1,
            match(process_integrity_level,"medium"),2,
            match(process_integrity_level,"high"),3,
            match(process_integrity_level,"system"),4,
            true(),0
        )

| rename user as src_user,
         parent_process* as orig_parent_process*,
         process* as parent_process*


| join max=0 dest join_guid [
    
| tstats `security_content_summariesonly`
      count max(_time) as lastTime

    from datamodel=Endpoint.Processes where

    (
        Processes.process_integrity_level IN ("system")
        NOT Processes.user IN (
                "*SYSTEM",
                "*LOCAL SERVICE",
                "*NETWORK SERVICE",
                "DWM-*",
                "*$"
            )
    )
    OR
    (
        Processes.process_integrity_level IN (
            "high",
            "system"
        )
        (
            Processes.parent_process_path IN (
                "*\\\\*",
                "*\\Users\\*",
                "*\\Temp\\*",
                "*\\ProgramData\\*"
            )
            OR
            Processes.process_path IN (
                "*\\\\*",
                "*\\Users\\*",
                "*\\Temp\\*",
                "*\\ProgramData\\*"
            )
        )
    )

    by Processes.dest Processes.user Processes.parent_process_guid
       Processes.process_name Processes.process
       Processes.process_path Processes.process_integrity_level
       Processes.process_current_directory

    
| `drop_dm_object_name(Processes)`

    
| eval elevated_integrity_level = CASE(
                match(process_integrity_level,"low"),1,
                match(process_integrity_level,"medium"),2,
                match(process_integrity_level,"high"),3,
                match(process_integrity_level,"system"),4,
                true(),0
            )
    
| rename parent_process_guid as join_guid
]


| where
    elevated_integrity_level > integrity_level
    OR
    user != elevated_user


| fields dest user src_user parent_process_name parent_process
         parent_process_path parent_process_guid
         parent_process_integrity_level parent_process_current_directory
         process_name process process_path process_guid
         process_integrity_level process_current_directory
         orig_parent_process_name orig_parent_process
         orig_parent_process_guid firstTime lastTime count


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_privilege_escalation_suspicious_process_elevation_filter`