Policy: Privilege Elevation Justification Policy for Command Prompt

This example shows a Privilege Elevation policy that targets a specific application (Command Prompt / cmd.exe, as represented by a single App ID) and requires the user to provide a justification before the process can run with elevated privileges. It’s useful for demonstrating how to add accountability and audit context around elevation of a commonly abused “living off the land” tool—without blocking it outright.

What This Policy Does

• Targets Privilege Elevation for:

  • Any user (*)

  • One specific application (a single App ID)

  • One specific endpoint (a single Machine ID)

• Requires JUSTIFY on success (the user must enter a justification before elevation proceeds).

• Requires the user to acknowledge the notification (NotificationRequiresAcknowledge: true).

• Is currently turned off (Status: off), so it will not apply until enabled.

• Assigns a Risk Level of 50.

Why It Behaves This Way

• Application-Scoped Control: The policy is tied to a single application identifier, so it triggers only for the targeted process rather than for every elevation attempt.

• Broad User Coverage: With a wildcard user scope, any user on the targeted endpoint is subject to the same justification requirement.

• Justification As The Control: JUSTIFY is designed to collect user-provided context and create an audit trail while still allowing work to proceed when there’s a legitimate need.

• Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restriction lists are empty, so the match is primarily driven by user + machine + application targeting.

• Message/Behavior Mismatch: The notification text says “monitor mode” and implies multiple controls (MFA, justification, request), but the configured success control is JUSTIFY only.

What The User Experiences

• In Its Current State (Status Off): Users won’t see anything from this policy because it’s disabled.

• If Enabled: When a user attempts to run the targeted process as an administrator on an in-scope endpoint, they’ll be prompted to enter a justification.

• Because acknowledgement is required, the user must also dismiss the notification prompt as part of the flow.

Important Notes And Common Adjustments

• Enable It Intentionally: If this is meant to be active, switch the policy from off to an enabled/enforced state.

• Fix The Notification Message: Update the text so it accurately reflects the actual control (JUSTIFY) and avoids referencing monitor mode or additional controls that aren’t configured.

• Decide If You Need A Stronger Control:

  • Use APPROVAL if elevations of this tool should require explicit authorization.

  • Add MFA if you want a step-up authentication requirement for this elevation.

  • Use DENY if this tool should never be elevated in your environment.

• Reduce Prompt Fatigue: If legitimate use is frequent, consider narrowing by user/group or limiting to specific endpoints (or moving from JUSTIFY to ALLOW for a smaller trusted population).

Example JSON