Hey all,

We’ve been looking for a way to effectively audit what privileges are used by a user or application with an elevated token from EPM in order to better scope our custom tokens.  We have enabled privilege monitoring within our policies, but it doesn’t look like that generates information (or maybe it does, but it’s not aggregated anywhere).

The closest we’ve gotten is looking at the audit logs in ‘C:\ProgramData\Avecto\Privilege Guard Audit Logs\’.  This directory houses XML files which seem to contain some information about what happened when using an elevated token. Here are two samples:

<AuditLog>

    <Application Type="exe" FileName="c:\windows\system32\dllhost.exe" CmdLine="C:\WINDOWS\system32\DllHost.exe /Processid:{1F2E5C40-9550-11CE-99D2-00AA006E086C}" Description="COM Surrogate" FileHash="C521025C55687C1F29B1F3A3C69B3D152CE84981" Certificate="Microsoft Windows" />

    <AuditRecords>

        <AuditRecord Time="07/11/24 17:10:43" Type="EnablePrivilege" Privilege="SeSecurityPrivilege" />

        <AuditRecord Time="07/11/24 17:10:43" Type="EnablePrivilege" Privilege="SeTakeOwnershipPrivilege" />

        <AuditRecord Time="07/11/24 17:10:43" Type="EnablePrivilege" Privilege="SeBackupPrivilege" />

        <AuditRecord Time="07/11/24 17:10:43" Type="EnablePrivilege" Privilege="SeBackupPrivilege" />

    </AuditRecords>

</AuditLog>

<AuditLog>

    <Application Type="exe" FileName="c:\program files\powershell\7\pwsh.exe" CmdLine=""C:\Program Files\PowerShell\7\pwsh.exe&quot;" Description="pwsh" FileHash="97FCEC1C423CE4A2183A0115511A1AB8CF9417B1" Certificate="Microsoft Corporation" />

    <AuditRecords>

        <AuditRecord Time="07/11/24 16:41:19" Type="CreateFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="1074921600" />

        <AuditRecord Time="07/11/24 16:41:19" Type="CreateFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_j2o1i3zo.om1.psm1" Mask="1074921600" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="-2146303872" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp" Mask="1179776" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_gdlfm1bw.c2c.ps1" Mask="196736" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenFile" File="\Device\HarddiskVolume3\Windows\Temp\__PSScriptPolicyTest_j2o1i3zo.om1.psm1" Mask="196736" />

        <AuditRecord Time="07/11/24 16:41:19" Type="EnablePrivilege" Privilege="SeDebugPrivilege" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenKey" Key="\REGISTRY\USER\.DEFAULT" SubKey="Software\Microsoft\SystemCertificates\CA" Mask="196639" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenKey" Key="\REGISTRY\USER\.DEFAULT" SubKey="Software\Microsoft\SystemCertificates\CA" Mask="196639" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenKey" Key="\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA" SubKey="Certificates" Mask="196639" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenKey" Key="\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA" SubKey="CRLs" Mask="196639" />

        <AuditRecord Time="07/11/24 16:41:19" Type="OpenKey" Key="\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA" SubKey="CTLs" Mask="196639" />

…

    </AuditRecords>

</AuditLog>

These files would work for our use case, but most of them are incomplete or invalid XMLs making them difficult to process.  Does anyone do anything similar to audit what privileges are being used in their tokens or have any ideas on how we could leverage this?