[Rule Tuning] Process Created with an Elevated Token (02a23ee7-c8f8-4701-b99d-e9038ce313cb) #5492
Description
Rule Tuning Analysis
Rule ID: 02a23ee7-c8f8-4701-b99d-e9038ce313cb
Rule Name: Process Created with an Elevated Token
Rule Type: eql
Classification
| Metric | Value |
|---|---|
| Category | NOISY_PERFORMANT |
| Priority | MEDIUM |
| Tuning Score | 61.03 |
| Version Status | ✅ Established (24 release cycles) |
Alert Telemetry
| Metric | Value |
|---|---|
| Total Alerts (3d) | 13,938 |
| Unique Clusters | 61 |
| Cluster Coverage | 2.4% |
| Daily Average | 4646 |
| Days Active | 3 |
| Coefficient of Variation | 0.91 (MODERATE) |
Analysis Flags
- 🔴 Noisy on Latest Version: ✅ Yes
- 🔴 Widespread False Positive: ❌ No
⚠️ Version Regression: ❌ No⚠️ Stale and Noisy: ❌ No⚠️ Low Version / High Volume: ❌ No- ℹ️ Low Activity: ❌ No
Recommendation
Action: Add EQL not-blocks for spooler/PrintIsolationHost printer driver paths and route.exe, Sophos AutoUpdate SSEValidator, and ConnectWise LTSvcMon net/net1 service starts.
Rationale: Alert volume is dominated by benign SYSTEM process launches from the Windows print subsystem (spoolsv.exe/PrintIsolationHost.exe) executing printer driver utilities (e.g., KACT2.exe) and route.exe, plus Sophos AutoUpdate (su-setup64.exe -> SophosSSEValidator.exe) and a smaller ConnectWise LTSvc update pattern (Update.exe -> net/net1). Adding targeted EQL exclusions for spool-driver paths, spooler-driven route.exe, Sophos AutoUpdate, and ConnectWise LTSvcMon service starts will materially reduce noise while preserving CreateProcessWithToken coverage.
Query Modifications
Benign printer driver executions under SYSTEM via spoolsv.exe/PrintIsolationHost.exe (Impact: accuracy)
Current:
/* Ignores Windows print spooler service only for Access Intelligent Form */
not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and
process.executable: "?:\\Program Files*\\Access\\Intelligent Form\\*\\LaunchCreate.exe")Modify →
and not (
process.parent.name in ("spoolsv.exe", "PrintIsolationHost.exe") and
process.executable : "?:\\Windows\\System32\\spool\\drivers\\*\\*.exe"
)Targets print driver binaries in the spool drivers directory, which legitimately run under SYSTEM via the print pipeline, responsible for the majority of noise (KACT2.exe, others).
spooler/PrintIsolationHost spawning route.exe for printer networking tasks (Impact: accuracy)
Current:
/* No specific suppression for spooler-driven route.exe */Modify →
and not (
process.parent.name in ("spoolsv.exe", "PrintIsolationHost.exe") and
process.name : "route.exe"
)High-volume route.exe executions are part of benign printer setup/maintenance; restricting to spooler parents avoids masking attacker use of route.exe by other parents.
Sophos AutoUpdate (su-setup64.exe) launching SophosSSEValidator.exe under SYSTEM (Impact: accuracy)
Current:
/* No Sophos-specific suppression in code signer list or path */Modify →
and not (
process.parent.executable : "?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\*\\su-setup*.exe" and
process.executable : "?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sse*\\SophosSSEValidator.exe"
)Observed across ~19 clusters and signed by Sophos Ltd; narrow path-based suppression reduces noise without broadly excluding System-signed Windows binaries.
Trusted vendor (Sophos) not included in existing signer allowlist (Impact: accuracy)
Current:
not (process.code_signature.trusted == true and
process.code_signature.subject_name : ("philandro Software GmbH","Freedom Scientific Inc.","TeamViewer Germany GmbH","Projector.is, Inc.","TeamViewer GmbH","Cisco WebEx LLC","Dell Inc"))Modify →
not (process.code_signature.trusted == true and
process.code_signature.subject_name : ("philandro Software GmbH","Freedom Scientific Inc.","TeamViewer Germany GmbH","Projector.is, Inc.","TeamViewer GmbH","Cisco WebEx LLC","Dell Inc","Sophos Ltd"))Extends existing trusted vendor list to suppress recurring benign Sophos components that execute under SYSTEM during updates.
ConnectWise LTSvc updater starting its service via net/net1 under SYSTEM (Impact: accuracy)
Current:
/* No suppression for ConnectWise LTSvc Update.exe and its net/net1 service start */Modify →
and not (
process.parent.executable : "?:\\Windows\\LTSvc\\*\\Update.exe" and
process.name in ("net.exe","net1.exe") and
process.command_line : "*start LTSvcMon*"
)Tightly scoped to ConnectWise service management observed in samples; avoids masking other net.exe usage.
Exception Recommendations
Add exception: process.executable matches "?:\Windows\System32\spool\drivers\*\*.exe" (Confidence: HIGH)
Printer drivers commonly execute from the spool drivers directory under SYSTEM via spoolsv.exe/PrintIsolationHost.exe. Field diversity shows 10,650 events with spooler parents (spoolsv.exe 6,488; PrintIsolationHost.exe 4,162). Sample command lines show Kyocera KACT2.exe under this path causing noise.
Modify →
and process.executable matches "?:\Windows\System32\spool\drivers\*\*.exe"Add exception: process.name is "route.exe" (Confidence: MEDIUM)
High volume route.exe events (6,407 across 7 clusters) commonly originate from the print pipeline (spoolsv/PrintIsolationHost) to manage routes for printers. Apply only when parent is spoolsv.exe/PrintIsolationHost.exe as shown in suggested query blocks.
Modify →
and process.name is "route.exe"Add exception: process.executable matches "?:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sse*\SophosSSEValidator.exe" (Confidence: HIGH)
Recurring benign Sophos AutoUpdate flow su-setup64.exe -> SophosSSEValidator.exe (trusted signer Sophos Ltd) appears in samples and field diversity (1,425-2,047 alerts; ~19 clusters).
Modify →
and process.executable matches "?:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sse*\SophosSSEValidator.exe"Add exception: process.code_signature.subject_name is "Sophos Ltd" (Confidence: MEDIUM)
Add Sophos to the existing trusted signer allowlist to cover additional benign Sophos components running as SYSTEM. Sample events show trusted Sophos signatures for su-setup64.exe and SophosSSEValidator.exe.
Modify →
and process.code_signature.subject_name is "Sophos Ltd"Add exception: process.parent.executable matches "?:\Windows\LTSvc\*\Update.exe" (Confidence: MEDIUM)
ConnectWise LTSvc updater (trusted signer ConnectWise, LLC) starts its service using net/net1 (e.g., 'Net start LTSvcMon /y') as SYSTEM, observed in sample events. Apply with child process.name net.exe/net1.exe.
Modify →
and process.parent.executable matches "?:\Windows\LTSvc\*\Update.exe"Field-Level Recommendations
| Field | Value | Alert % | Cluster % | Confidence | Type |
|---|---|---|---|---|---|
process.executable |
?:\Windows\System32\spool\driv... |
0.0% | 25.0% | HIGH | EXCEPTION |
process.name |
route.exe |
0.0% | 11.0% | MEDIUM | EXCEPTION |
process.executable |
?:\ProgramData\Sophos\AutoUpda... |
0.0% | 30.0% | HIGH | EXCEPTION |
process.code_signature.subject_name |
Sophos Ltd |
0.0% | 30.0% | MEDIUM | EXCEPTION |
process.parent.executable |
?:\Windows\LTSvc\*\Update.exe |
0.0% | 3.0% | MEDIUM | EXCEPTION |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2025-12-18T06:09:24.842436