UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface

Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/10/28"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows
 13ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface"
 20references = ["https://github.com/hfiref0x/UACME"]
 21risk_score = 73
 22rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a"
 23severity = "high"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Privilege Escalation",
 29    "Tactic: Defense Evasion",
 30    "Tactic: Execution",
 31    "Data Source: Elastic Endgame",
 32    "Data Source: Elastic Defend",
 33    "Data Source: Sysmon",
 34    "Data Source: Microsoft Defender for Endpoint",
 35    "Data Source: SentinelOne",
 36    "Resources: Investigation Guide",
 37]
 38timestamp_override = "event.ingested"
 39type = "eql"
 40
 41query = '''
 42process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and
 43  not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and
 44  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */
 45  process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}"
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
 53
 54User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes by prompting for elevated permissions. The IEditionUpgradeManager COM interface can be exploited by attackers to bypass UAC, allowing them to execute code with elevated privileges without user consent. This detection rule identifies such attempts by monitoring for the execution of the ClipUp program from non-standard paths, initiated by a specific COM interface, indicating potential misuse for privilege escalation.
 55
 56### Possible investigation steps
 57
 58- Review the process execution details to confirm the presence of ClipUp.exe running from a non-standard path, as indicated by the process.executable field not matching "C:\\Windows\\System32\\ClipUp.exe".
 59- Investigate the parent process, dllhost.exe, to determine if it was legitimately initiated or if it shows signs of compromise, focusing on the process.parent.args field to verify the use of the specific COM interface CLSID: /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}.
 60- Check the user account context under which ClipUp.exe was executed to assess if it aligns with expected user behavior or if it suggests unauthorized access.
 61- Correlate this event with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns.
 62- Examine recent changes or anomalies in system configurations or installed software that might indicate preparation for or execution of a UAC bypass attempt.
 63- If available, review network activity logs for any unusual outbound connections or data exfiltration attempts following the execution of ClipUp.exe.
 64
 65### False positive analysis
 66
 67- Legitimate software updates or installations may trigger the rule if they temporarily use non-standard paths for ClipUp.exe. Verify the source and purpose of the process to determine if it is part of a legitimate update or installation.
 68- Custom scripts or administrative tools that utilize ClipUp.exe from non-standard paths for legitimate purposes can cause false positives. Review the script or tool usage and consider excluding these specific paths if they are verified as safe.
 69- Software testing environments where ClipUp.exe is executed from non-standard paths for testing purposes may trigger the rule. Implement exclusions for known testing environments to prevent unnecessary alerts.
 70- Automated deployment tools that use ClipUp.exe from non-standard paths as part of their deployment process can be mistaken for malicious activity. Confirm the deployment tool's behavior and add exceptions for its known operations.
 71- In environments where multiple users have administrative privileges, legitimate administrative actions might inadvertently match the rule's criteria. Regularly audit administrative actions and consider excluding known benign activities.
 72
 73### Response and remediation
 74
 75- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 76- Terminate the ClipUp.exe process if it is running from a non-standard path to stop any ongoing malicious activity.
 77- Conduct a thorough review of the system's recent activity logs to identify any additional unauthorized changes or suspicious behavior.
 78- Restore any altered system files or configurations to their original state using known good backups or system restore points.
 79- Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities.
 80- Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables.
 81- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1548"
 88name = "Abuse Elevation Control Mechanism"
 89reference = "https://attack.mitre.org/techniques/T1548/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1548.002"
 92name = "Bypass User Account Control"
 93reference = "https://attack.mitre.org/techniques/T1548/002/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0004"
 99name = "Privilege Escalation"
100reference = "https://attack.mitre.org/tactics/TA0004/"
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1548"
105name = "Abuse Elevation Control Mechanism"
106reference = "https://attack.mitre.org/techniques/T1548/"
107[[rule.threat.technique.subtechnique]]
108id = "T1548.002"
109name = "Bypass User Account Control"
110reference = "https://attack.mitre.org/techniques/T1548/002/"
111
112
113
114[rule.threat.tactic]
115id = "TA0005"
116name = "Defense Evasion"
117reference = "https://attack.mitre.org/tactics/TA0005/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1559"
122name = "Inter-Process Communication"
123reference = "https://attack.mitre.org/techniques/T1559/"
124[[rule.threat.technique.subtechnique]]
125id = "T1559.001"
126name = "Component Object Model"
127reference = "https://attack.mitre.org/techniques/T1559/001/"
128
129
130
131[rule.threat.tactic]
132id = "TA0002"
133name = "Execution"
134reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes by prompting for elevated permissions. The IEditionUpgradeManager COM interface can be exploited by attackers to bypass UAC, allowing them to execute code with elevated privileges without user consent. This detection rule identifies such attempts by monitoring for the execution of the ClipUp program from non-standard paths, initiated by a specific COM interface, indicating potential misuse for privilege escalation.

  • Review the process execution details to confirm the presence of ClipUp.exe running from a non-standard path, as indicated by the process.executable field not matching "C:\Windows\System32\ClipUp.exe".
  • Investigate the parent process, dllhost.exe, to determine if it was legitimately initiated or if it shows signs of compromise, focusing on the process.parent.args field to verify the use of the specific COM interface CLSID: /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}.
  • Check the user account context under which ClipUp.exe was executed to assess if it aligns with expected user behavior or if it suggests unauthorized access.
  • Correlate this event with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns.
  • Examine recent changes or anomalies in system configurations or installed software that might indicate preparation for or execution of a UAC bypass attempt.
  • If available, review network activity logs for any unusual outbound connections or data exfiltration attempts following the execution of ClipUp.exe.
  • Legitimate software updates or installations may trigger the rule if they temporarily use non-standard paths for ClipUp.exe. Verify the source and purpose of the process to determine if it is part of a legitimate update or installation.
  • Custom scripts or administrative tools that utilize ClipUp.exe from non-standard paths for legitimate purposes can cause false positives. Review the script or tool usage and consider excluding these specific paths if they are verified as safe.
  • Software testing environments where ClipUp.exe is executed from non-standard paths for testing purposes may trigger the rule. Implement exclusions for known testing environments to prevent unnecessary alerts.
  • Automated deployment tools that use ClipUp.exe from non-standard paths as part of their deployment process can be mistaken for malicious activity. Confirm the deployment tool's behavior and add exceptions for its known operations.
  • In environments where multiple users have administrative privileges, legitimate administrative actions might inadvertently match the rule's criteria. Regularly audit administrative actions and consider excluding known benign activities.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
  • Terminate the ClipUp.exe process if it is running from a non-standard path to stop any ongoing malicious activity.
  • Conduct a thorough review of the system's recent activity logs to identify any additional unauthorized changes or suspicious behavior.
  • Restore any altered system files or configurations to their original state using known good backups or system restore points.
  • Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities.
  • Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.

References

Related rules

to-top