Unusual Process Detected for Privileged Commands by a User

Last updated 2 months ago on 2025-07-02

Created 6 months ago on 2025-02-18

About

A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity.

Tags

Use Case: Privileged Access DetectionRule Type: MLRule Type: Machine LearningTactic: Privilege Escalation

Severity

low

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

pad(opens in a new tab or window)

endpoint(opens in a new tab or window)

sysmon_linux(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Process Detected for Privileged Commands by a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).