UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer

  1[metadata]
  2creation_date = "2020/11/03"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious
 13program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer"
 20references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"]
 21risk_score = 47
 22rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022"
 23severity = "medium"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Privilege Escalation",
 29    "Tactic: Defense Evasion",
 30    "Tactic: Execution",
 31    "Data Source: Elastic Endgame",
 32    "Data Source: Elastic Defend",
 33    "Data Source: Sysmon",
 34    "Data Source: Microsoft Defender for Endpoint",
 35    "Data Source: SentinelOne",
 36]
 37timestamp_override = "event.ingested"
 38type = "eql"
 39
 40query = '''
 41process where host.os.type == "windows" and event.type == "start" and
 42 process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and
 43 process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding"
 44
 45 /* uncomment once in winlogbeat */
 46 /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */
 47'''
 48
 49
 50[[rule.threat]]
 51framework = "MITRE ATT&CK"
 52[[rule.threat.technique]]
 53id = "T1548"
 54name = "Abuse Elevation Control Mechanism"
 55reference = "https://attack.mitre.org/techniques/T1548/"
 56[[rule.threat.technique.subtechnique]]
 57id = "T1548.002"
 58name = "Bypass User Account Control"
 59reference = "https://attack.mitre.org/techniques/T1548/002/"
 60
 61
 62
 63[rule.threat.tactic]
 64id = "TA0004"
 65name = "Privilege Escalation"
 66reference = "https://attack.mitre.org/tactics/TA0004/"
 67[[rule.threat]]
 68framework = "MITRE ATT&CK"
 69[[rule.threat.technique]]
 70id = "T1548"
 71name = "Abuse Elevation Control Mechanism"
 72reference = "https://attack.mitre.org/techniques/T1548/"
 73[[rule.threat.technique.subtechnique]]
 74id = "T1548.002"
 75name = "Bypass User Account Control"
 76reference = "https://attack.mitre.org/techniques/T1548/002/"
 77
 78
 79
 80[rule.threat.tactic]
 81id = "TA0005"
 82name = "Defense Evasion"
 83reference = "https://attack.mitre.org/tactics/TA0005/"
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1559"
 88name = "Inter-Process Communication"
 89reference = "https://attack.mitre.org/techniques/T1559/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1559.001"
 92name = "Component Object Model"
 93reference = "https://attack.mitre.org/techniques/T1559/001/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0002"
 99name = "Execution"
100reference = "https://attack.mitre.org/tactics/TA0002/"