The hypothesis is that the presence of the s4u.exe executable indicates an adversary may be leveraging it to execute commands with the context of any user without a password, potentially enabling privilege escalation or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or unauthorized access attempts.
YARA Rule
rule s4u {
meta:
description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
author = "Florian Roth"
reference = "https://github.com/aurel26/s-4-u-for-windows"
date = "2015-06-05"
hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
score = 50
strings:
// Specific strings (may change)
$x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii
$x1 = "\\Release\\s4u.pdb" ascii
// Less specific strings
$s0 = "CreateProcessAsUser failed (error %u)." fullword ascii
$s1 = "GetTokenInformation failed (error: %u)." fullword ascii
$s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii
$s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii
$s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii
$s5 = "The token does not have the specified privilege (%S)." fullword ascii
$s6 = "Unable to parse command line." fullword ascii
$s7 = "Unable to find logon SID." fullword ascii
$s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii
$s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii
// Generic
$g1 = "%systemroot%\\system32\\cmd.exe" wide
$g2 = "SeTcbPrivilege" wide
$g3 = "winsta0\\default" wide
$g4 = ".rsrc"
$g5 = "HeapAlloc"
$g6 = "GetCurrentProcess"
$g7 = "HeapFree"
$g8 = "GetProcessHeap"
$g9 = "ExpandEnvironmentStrings"
$g10 = "ConvertStringSidToSid"
$g11 = "LookupPrivilegeValue"
$g12 = "AllocateLocallyUniqueId"
$g13 = "ADVAPI32.dll"
$g14 = "LsaLookupAuthenticationPackage"
$g15 = "Secur32.dll"
$g16 = "MSVCR120.dll"
condition:
uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 28 string patterns in its detection logic.
Scenario: Scheduled Task Running s4u.exe for User Account Management
Description: A legitimate scheduled task is configured to run s4u.exe to manage user accounts or perform administrative tasks, such as resetting passwords or creating user accounts.
Filter/Exclusion: Check for the presence of a scheduled task with a known name (e.g., UserAccountMaintenance) and verify if the task is owned by a trusted service account or domain admin.
Scenario: Security Tool or SIEM Agent Using s4u.exe for Privilege Escalation Testing
Description: A security tool or SIEM agent may use s4u.exe as part of a privilege escalation test or security assessment to simulate real-world attack scenarios.
Filter/Exclusion: Filter events where the process is initiated by a known security tool (e.g., Microsoft Defender for Identity, Microsoft Sentinel, or PowerShell scripts with known signatures).
Scenario: System Update or Patching Process Using s4u.exe
Description: During a system update or patching process, a legitimate administrative tool may use s4u.exe to execute commands under different user contexts to apply patches or configure settings.
Filter/Exclusion: Check for the presence of a known patching tool (e.g., Windows Update, SCCM, or Group Policy) and ensure the process is initiated by a trusted update service account.
Scenario: Admin Task Using s4u.exe to Execute CMD.exe for Scripting Purposes
Description: An administrator may use s4u.exe to run a CMD.exe process under a different user context to execute scripts or perform maintenance tasks without logging in as that user.
Filter/Exclusion: Filter events where the process is initiated by a known administrative user (e.g., Administrator, Domain Admin, or `