UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/03"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious
13program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer"
20references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"]
21risk_score = 47
22rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Privilege Escalation",
29 "Tactic: Defense Evasion",
30 "Tactic: Execution",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: SentinelOne",
36 "Resources: Investigation Guide",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.type == "start" and
43 process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and
44 process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding"
45
46 /* uncomment once in winlogbeat */
47 /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */
48'''
49note = """## Triage and analysis
50
51> **Disclaimer**:
52> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
53
54### Investigating UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
55
56User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes by prompting for elevated permissions. Adversaries may exploit elevated COM interfaces, such as the Internet Explorer Add-On Installer, to bypass UAC and execute malicious code with higher privileges. The detection rule identifies suspicious processes originating from temporary directories, launched by the IE installer with specific arguments, indicating potential UAC bypass attempts.
57
58### Possible investigation steps
59
60- Review the process details to confirm the executable path matches the pattern "C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe" and verify if it is expected or known within the environment.
61- Investigate the parent process "ieinstal.exe" to determine if its execution is legitimate, checking for any unusual or unexpected usage patterns.
62- Examine the command-line arguments used by the parent process, specifically looking for the "-Embedding" argument, to understand the context of its execution.
63- Check the code signature of the suspicious process to determine if it is signed by a trusted entity, and assess the trustworthiness of the signature if present.
64- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related malicious activity.
65- Investigate the user account associated with the process to determine if there are any signs of compromise or unauthorized access attempts.
66- Assess the risk and impact of the potential UAC bypass attempt on the system and broader network, and take appropriate containment or remediation actions if necessary.
67
68### False positive analysis
69
70- Legitimate software installations or updates may trigger the rule if they temporarily use the specified directory structure. Users can monitor the frequency and context of these alerts to determine if they align with known software behaviors.
71- Development or testing environments might generate alerts due to the execution of scripts or applications from temporary directories. Users can create exceptions for specific environments or processes that are known to be safe.
72- System administrators or IT personnel performing legitimate administrative tasks might inadvertently trigger the rule. Users can exclude specific user accounts or processes from monitoring if they are verified as non-threatening.
73- Automated software deployment tools that use temporary directories for installation processes may cause false positives. Users can whitelist these tools by verifying their code signatures and adding them to an exception list.
74- Regularly review and update the list of trusted applications and processes to ensure that only verified and necessary exceptions are in place, minimizing the risk of overlooking genuine threats.
75
76### Response and remediation
77
78- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
79- Terminate any suspicious processes identified by the detection rule, specifically those originating from temporary directories and launched by "ieinstal.exe" with the "-Embedding" argument.
80- Conduct a thorough review of the affected system to identify any additional unauthorized changes or malware installations, focusing on temporary directories and COM interface usage.
81- Restore the system to a known good state using backups or system restore points, ensuring that any malicious changes are reversed.
82- Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass.
83- Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.
84- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1548"
91name = "Abuse Elevation Control Mechanism"
92reference = "https://attack.mitre.org/techniques/T1548/"
93[[rule.threat.technique.subtechnique]]
94id = "T1548.002"
95name = "Bypass User Account Control"
96reference = "https://attack.mitre.org/techniques/T1548/002/"
97
98
99
100[rule.threat.tactic]
101id = "TA0004"
102name = "Privilege Escalation"
103reference = "https://attack.mitre.org/tactics/TA0004/"
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1548"
108name = "Abuse Elevation Control Mechanism"
109reference = "https://attack.mitre.org/techniques/T1548/"
110[[rule.threat.technique.subtechnique]]
111id = "T1548.002"
112name = "Bypass User Account Control"
113reference = "https://attack.mitre.org/techniques/T1548/002/"
114
115
116
117[rule.threat.tactic]
118id = "TA0005"
119name = "Defense Evasion"
120reference = "https://attack.mitre.org/tactics/TA0005/"
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1559"
125name = "Inter-Process Communication"
126reference = "https://attack.mitre.org/techniques/T1559/"
127[[rule.threat.technique.subtechnique]]
128id = "T1559.001"
129name = "Component Object Model"
130reference = "https://attack.mitre.org/techniques/T1559/001/"
131
132
133
134[rule.threat.tactic]
135id = "TA0002"
136name = "Execution"
137reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes by prompting for elevated permissions. Adversaries may exploit elevated COM interfaces, such as the Internet Explorer Add-On Installer, to bypass UAC and execute malicious code with higher privileges. The detection rule identifies suspicious processes originating from temporary directories, launched by the IE installer with specific arguments, indicating potential UAC bypass attempts.
Possible investigation steps
- Review the process details to confirm the executable path matches the pattern "C:\\AppData\\Temp\IDC*.tmp\*.exe" and verify if it is expected or known within the environment.
- Investigate the parent process "ieinstal.exe" to determine if its execution is legitimate, checking for any unusual or unexpected usage patterns.
- Examine the command-line arguments used by the parent process, specifically looking for the "-Embedding" argument, to understand the context of its execution.
- Check the code signature of the suspicious process to determine if it is signed by a trusted entity, and assess the trustworthiness of the signature if present.
- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related malicious activity.
- Investigate the user account associated with the process to determine if there are any signs of compromise or unauthorized access attempts.
- Assess the risk and impact of the potential UAC bypass attempt on the system and broader network, and take appropriate containment or remediation actions if necessary.
False positive analysis
- Legitimate software installations or updates may trigger the rule if they temporarily use the specified directory structure. Users can monitor the frequency and context of these alerts to determine if they align with known software behaviors.
- Development or testing environments might generate alerts due to the execution of scripts or applications from temporary directories. Users can create exceptions for specific environments or processes that are known to be safe.
- System administrators or IT personnel performing legitimate administrative tasks might inadvertently trigger the rule. Users can exclude specific user accounts or processes from monitoring if they are verified as non-threatening.
- Automated software deployment tools that use temporary directories for installation processes may cause false positives. Users can whitelist these tools by verifying their code signatures and adding them to an exception list.
- Regularly review and update the list of trusted applications and processes to ensure that only verified and necessary exceptions are in place, minimizing the risk of overlooking genuine threats.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious processes identified by the detection rule, specifically those originating from temporary directories and launched by "ieinstal.exe" with the "-Embedding" argument.
- Conduct a thorough review of the affected system to identify any additional unauthorized changes or malware installations, focusing on temporary directories and COM interface usage.
- Restore the system to a known good state using backups or system restore points, ensuring that any malicious changes are reversed.
- Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass.
- Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.
- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
References
Related rules
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Conhost Spawned By Suspicious Parent Process
- Command Shell Activity Started via RunDLL32
- Control Panel Process with Unusual Arguments