UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer

  1[metadata]
  2creation_date = "2020/11/03"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious
 11program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
 31
 32User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes by prompting for elevated permissions. Adversaries may exploit elevated COM interfaces, such as the Internet Explorer Add-On Installer, to bypass UAC and execute malicious code with higher privileges. The detection rule identifies suspicious processes originating from temporary directories, launched by the IE installer with specific arguments, indicating potential UAC bypass attempts.
 33
 34### Possible investigation steps
 35
 36- Review the process details to confirm the executable path matches the pattern "C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe" and verify if it is expected or known within the environment.
 37- Investigate the parent process "ieinstal.exe" to determine if its execution is legitimate, checking for any unusual or unexpected usage patterns.
 38- Examine the command-line arguments used by the parent process, specifically looking for the "-Embedding" argument, to understand the context of its execution.
 39- Check the code signature of the suspicious process to determine if it is signed by a trusted entity, and assess the trustworthiness of the signature if present.
 40- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related malicious activity.
 41- Investigate the user account associated with the process to determine if there are any signs of compromise or unauthorized access attempts.
 42- Assess the risk and impact of the potential UAC bypass attempt on the system and broader network, and take appropriate containment or remediation actions if necessary.
 43
 44### False positive analysis
 45
 46- Legitimate software installations or updates may trigger the rule if they temporarily use the specified directory structure. Users can monitor the frequency and context of these alerts to determine if they align with known software behaviors.
 47- Development or testing environments might generate alerts due to the execution of scripts or applications from temporary directories. Users can create exceptions for specific environments or processes that are known to be safe.
 48- System administrators or IT personnel performing legitimate administrative tasks might inadvertently trigger the rule. Users can exclude specific user accounts or processes from monitoring if they are verified as non-threatening.
 49- Automated software deployment tools that use temporary directories for installation processes may cause false positives. Users can whitelist these tools by verifying their code signatures and adding them to an exception list.
 50- Regularly review and update the list of trusted applications and processes to ensure that only verified and necessary exceptions are in place, minimizing the risk of overlooking genuine threats.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 55- Terminate any suspicious processes identified by the detection rule, specifically those originating from temporary directories and launched by "ieinstal.exe" with the "-Embedding" argument.
 56- Conduct a thorough review of the affected system to identify any additional unauthorized changes or malware installations, focusing on temporary directories and COM interface usage.
 57- Restore the system to a known good state using backups or system restore points, ensuring that any malicious changes are reversed.
 58- Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass.
 59- Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.
 60- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
 61references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"]
 62risk_score = 47
 63rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Privilege Escalation",
 70    "Tactic: Defense Evasion",
 71    "Tactic: Execution",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Sysmon",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: SentinelOne",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83process where host.os.type == "windows" and event.type == "start" and
 84 process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and
 85 process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding"
 86
 87 /* uncomment once in winlogbeat */
 88 /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1548"
 96name = "Abuse Elevation Control Mechanism"
 97reference = "https://attack.mitre.org/techniques/T1548/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1548.002"
100name = "Bypass User Account Control"
101reference = "https://attack.mitre.org/techniques/T1548/002/"
102
103
104
105[rule.threat.tactic]
106id = "TA0004"
107name = "Privilege Escalation"
108reference = "https://attack.mitre.org/tactics/TA0004/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1548"
113name = "Abuse Elevation Control Mechanism"
114reference = "https://attack.mitre.org/techniques/T1548/"
115[[rule.threat.technique.subtechnique]]
116id = "T1548.002"
117name = "Bypass User Account Control"
118reference = "https://attack.mitre.org/techniques/T1548/002/"
119
120
121
122[rule.threat.tactic]
123id = "TA0005"
124name = "Defense Evasion"
125reference = "https://attack.mitre.org/tactics/TA0005/"
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1559"
130name = "Inter-Process Communication"
131reference = "https://attack.mitre.org/techniques/T1559/"
132[[rule.threat.technique.subtechnique]]
133id = "T1559.001"
134name = "Component Object Model"
135reference = "https://attack.mitre.org/techniques/T1559/001/"
136
137
138
139[rule.threat.tactic]
140id = "TA0002"
141name = "Execution"
142reference = "https://attack.mitre.org/tactics/TA0002/"