UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface

  1[metadata]
  2creation_date = "2020/10/28"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows
 11ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface"
 25references = ["https://github.com/hfiref0x/UACME"]
 26risk_score = 73
 27rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Privilege Escalation",
 34    "Data Source: Elastic Endgame",
 35    "Data Source: Elastic Defend",
 36    "Data Source: Sysmon",
 37    "Data Source: Microsoft Defender XDR",
 38    "Data Source: SentinelOne",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43
 44query = '''
 45process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and
 46  not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and
 47  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */
 48  process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}"
 49'''
 50
 51note = """## Triage and analysis
 52
 53### Investigating UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
 54
 55#### Possible investigation steps
 56
 57- Does the alert show the IEditionUpgradeManager ClipUp bypass path?
 58  - Focus: `process.name`, `process.executable`, `process.parent.name`, `process.parent.args`, and `process.Ext.token.elevation_level`.
 59  - Hint: absent token metadata does not lower suspicion; the path and COM parent args still define the bypass path.
 60  - Implication: a "dllhost.exe" broker, IEditionUpgradeManager CLSID, "ClipUp.exe" name, and non-System32 path warrant UAC bypass investigation; high or full elevation raises priority. Concern drops only when later identity and child checks bind to exact servicing or authorized testing.
 61
 62- Is the non-system ClipUp image a genuine Microsoft servicing component or an attacker-defined payload?
 63  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 64  - Hint: absent hash, signature, or PE metadata does not lower suspicion; fall back to path, COM args, command line, and child behavior.
 65  - Implication: treat the image as attacker-controlled when unsigned, not Microsoft-signed, mismatched to "ClipUp.exe", or in a user-writable root. A Microsoft signer, matching original name, and stable hash reduce suspicion only when the same path ties to the servicing package under review.
 66
 67- Does the path or runtime metadata fit system-directory spoofing or lookalike staging?
 68  - Why: the alert already proves ClipUp ran outside genuine System32; a writable root ending in "\\system32\\clipup.exe" is the staging clue.
 69  - Focus: `process.executable`, `process.Ext.relative_file_creation_time`, `process.Ext.relative_file_name_modify_time`, and `process.command_line`.
 70  - Hint: absent relative timing fields leave the issue unresolved; use path root, command line, signer/hash, and local process history.
 71  - Implication: temp, profile, writable-share, or other non-Windows roots ending in "\\system32\\clipup.exe" indicate system-directory spoofing, especially with recent create or rename timing. Stable path age and servicing arguments reduce concern only after image identity also fits.
 72
 73- Did the elevated ClipUp instance start follow-on tooling?
 74  - Focus: child process starts where `process.parent.entity_id` matches `process.entity_id`, reviewing `process.name`, `process.executable`, `process.command_line`, and `process.Ext.token.integrity_level_name`. $investigate_0
 75  - Hint: if `process.entity_id` is absent, recover children with `host.id` + `process.pid` in a tight alert-time window; an empty child search is unresolved, not benign.
 76  - Implication: shells, script hosts, LOLBins, installers, or security-control tooling turn the alert into post-elevation execution. No visible child keeps the case scoped to the bypass launch, not closed.
 77
 78- Where else did this exact ClipUp pattern run?
 79  - Focus: matching process starts by `process.hash.sha256`, `process.executable`, `process.parent.args`, and `process.Ext.token.elevation_level`, scoped by `host.id` and `user.id`.
 80  - Hint: if the hash or elevation field is absent, pivot on the exact `process.executable` + `process.parent.args` pair and keep the time window tight. $investigate_1
 81  - Implication: after local evidence remains suspicious or unresolved, use matching path, hash, COM args, and elevation state to scope hosts or users; recurrence is supporting context, not a reason to close over contradictory local evidence.
 82
 83- Escalate when the COM-brokered non-system ClipUp launch pairs with attacker-defined identity, system-directory spoofing clues, unexpected elevation, or suspicious children. Close only when alert-local process evidence and supported child/history recovery bind to one confirmed servicing package or authorized OS-image test; require external confirmation when telemetry cannot prove that exact activity. Preserve evidence and escalate when answers remain mixed or incomplete.
 84
 85### False positive analysis
 86
 87- Windows edition upgrade, activation, or repair servicing can explain ClipUp activity only when evidence converges on one workflow: Microsoft-signed `process.hash.sha256`, expected `process.executable`, IEditionUpgradeManager `process.parent.args`, compatible `process.Ext.token.integrity_level_name` when present, and no suspicious children. If change records are unavailable, require telemetry confirmation from the same signed hash, path, parent args, `host.id`, and `user.id` pattern on the same host.
 88- Treat non-System32 ClipUp as an operational anti-pattern outside servicing. The only other benign path is an authorized OS-image or lab test where `process.executable`, `process.hash.sha256`, `process.command_line`, `process.parent.executable`, `process.parent.args`, and `user.id` all match the exact test case. Any unsigned image, writable-profile path, or elevated child tooling contradicts this explanation.
 89- Before creating an exception, require a stable benign pattern for `process.executable`, `process.hash.sha256`, `process.parent.args`, `process.Ext.token.integrity_level_name`, and relevant `host.id` or `user.id`. Avoid exceptions on `process.name`, `process.parent.name`, or the COM CLSID alone.
 90
 91### Response and remediation
 92
 93- If confirmed benign, reverse temporary containment and record the image identity, broker context, token state, `host.id`, and `user.id` that proved the servicing or deployment workflow. Create an exception only after the same full pattern repeats benignly.
 94- If suspicious but unconfirmed, preserve the alert, endpoint timeline export, process tree, non-system ClipUp path and hash, IEditionUpgradeManager parent context, token details, and recovered child-process evidence before containment.
 95- If suspicious but unconfirmed, apply reversible containment tied to the findings: block the non-system ClipUp path or hash, end the associated user session when needed, or raise monitoring on the affected `host.id`. Isolate the host only if elevated children, control tampering, or broader suspicious process history raises impact.
 96- If confirmed malicious, isolate the host, terminate the rogue ClipUp instance and elevated children after recording their process identifiers, and block the confirmed path or hash. Review the same hash, path, COM parent args, and user across other hosts before deleting artifacts.
 97- Eradicate only the staged ClipUp copy, launched payloads, persistence, or launcher artifacts identified during the investigation, then restore affected controls and validate that the Windows servicing path uses the genuine System32 binary.
 98- Post-incident hardening: restrict system-binary lookalikes from user-writable paths with WDAC or AppLocker, retain process lineage and token telemetry for elevated COM abuse, and document any missing telemetry or uncovered variant with the preserved evidence set.
 99"""
100
101setup = """## Setup
102
103This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
104
105Setup instructions: https://ela.st/install-elastic-defend
106
107### Additional data sources
108
109This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
110
111- [Microsoft Defender XDR](https://ela.st/m365-defender)
112- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
113- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
114"""
115
116[rule.investigation_fields]
117field_names = [
118    "@timestamp",
119    "host.id",
120    "user.id",
121    "process.pid",
122    "process.entity_id",
123    "process.executable",
124    "process.command_line",
125    "process.pe.original_file_name",
126    "process.code_signature.subject_name",
127    "process.code_signature.trusted",
128    "process.hash.sha256",
129    "process.parent.executable",
130    "process.parent.args",
131    "process.Ext.token.elevation_level",
132    "process.Ext.token.integrity_level_name",
133]
134
135[transform]
136
137[[transform.investigate]]
138label = "Child processes launched by the rogue ClipUp instance"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
143    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
144    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
145  ],
146  [
147    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
148    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
149    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
150  ]
151]
152relativeFrom = "now-1h"
153relativeTo = "now"
154
155[[transform.investigate]]
156label = "Process events for the same ClipUp path and COM interface"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
161    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" },
162    { excluded = false, field = "process.parent.args", queryType = "phrase", value = "{{process.parent.args}}", valueType = "string" }
163  ]
164]
165relativeFrom = "now-48h/h"
166relativeTo = "now"
167
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170
171[[rule.threat.technique]]
172id = "T1548"
173name = "Abuse Elevation Control Mechanism"
174reference = "https://attack.mitre.org/techniques/T1548/"
175
176[[rule.threat.technique.subtechnique]]
177id = "T1548.002"
178name = "Bypass User Account Control"
179reference = "https://attack.mitre.org/techniques/T1548/002/"
180
181[rule.threat.tactic]
182id = "TA0004"
183name = "Privilege Escalation"
184reference = "https://attack.mitre.org/tactics/TA0004/"
185
186[[rule.threat]]
187framework = "MITRE ATT&CK"
188
189[[rule.threat.technique]]
190id = "T1548"
191name = "Abuse Elevation Control Mechanism"
192reference = "https://attack.mitre.org/techniques/T1548/"
193
194[[rule.threat.technique.subtechnique]]
195id = "T1548.002"
196name = "Bypass User Account Control"
197reference = "https://attack.mitre.org/techniques/T1548/002/"
198
199[rule.threat.tactic]
200id = "TA0005"
201name = "Defense Evasion"
202reference = "https://attack.mitre.org/tactics/TA0005/"
203
204[[rule.threat]]
205framework = "MITRE ATT&CK"
206
207[[rule.threat.technique]]
208id = "T1559"
209name = "Inter-Process Communication"
210reference = "https://attack.mitre.org/techniques/T1559/"
211
212[[rule.threat.technique.subtechnique]]
213id = "T1559.001"
214name = "Component Object Model"
215reference = "https://attack.mitre.org/techniques/T1559/001/"
216
217[rule.threat.tactic]
218id = "TA0002"
219name = "Execution"
220reference = "https://attack.mitre.org/tactics/TA0002/"