To gather information about processes running with administrator privileges on endpoints, it’s important to understand Windows Integrity Levels, introduced by Microsoft in Windows Vista (see Mandatory Integrity Control).
Mandatory Integrity Control (MIC) is a security feature that enforces access control by assigning integrity levels to processes and objects. It uses integrity levels: Low, Medium, High, and System to regulate which processes can access or modify certain objects. By default, standard user processes run at Medium integrity, while administrative processes run at High. MIC restricts lower integrity processes from interacting with higher integrity ones, providing a safeguard against unauthorized access and enhancing security across the system.
There are four integrity levels:
- Low
- Medium (default for standard processes)
- High (assigned to processes with administrator rights)
- System
For processes with administrator rights, the integrity level is set to High. This information can be viewed locally using Process Explorer, where the integrity level appears in the “Integrity” column, as shown below.
Process that runs with administrator group rights has S-1-16-12288 integrity level
The one runs without admin rights has a medium integrity level S-1-16-12288
In Task Manager, this parameter is labeled as “Elevated” to indicate when a process is running with administrator rights (see below).
Also if you use sysmon utility for gathering all info related to the system you may notice that in sysmon event Process create has “Integrit level” attribute
<Data Name="IntegrityLevel">Medium</Data> (far.exe without admin rights)
<Data Name="IntegrityLevel">High</Data> (far.exe with admin rights)
So all that you need to do is to create SIEM’s report that would include integrity level info related to executed processes in the system.
I believe that the Windows Defender ATP Console and Advanced Hunting feature also provide valuable information regarding integrity levels.
Reports indicating potential suspicious activity may include unusual processes running in the system with a high integrity level.