UAC Bypass via ICMLuaUtil Elevated COM Interface

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/19"
 3integration = ["endpoint", "windows", "m365_defender"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
13to bypass UAC to stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
20risk_score = 73
21rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
22severity = "high"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Privilege Escalation",
28    "Tactic: Defense Evasion",
29    "Tactic: Execution",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: Microsoft Defender for Endpoint",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40 process.parent.name == "dllhost.exe" and
41 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
42 process.pe.original_file_name != "WerFault.exe"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1548"
50name = "Abuse Elevation Control Mechanism"
51reference = "https://attack.mitre.org/techniques/T1548/"
52[[rule.threat.technique.subtechnique]]
53id = "T1548.002"
54name = "Bypass User Account Control"
55reference = "https://attack.mitre.org/techniques/T1548/002/"
56
57
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1548"
67name = "Abuse Elevation Control Mechanism"
68reference = "https://attack.mitre.org/techniques/T1548/"
69[[rule.threat.technique.subtechnique]]
70id = "T1548.002"
71name = "Bypass User Account Control"
72reference = "https://attack.mitre.org/techniques/T1548/002/"
73
74
75
76[rule.threat.tactic]
77id = "TA0005"
78name = "Defense Evasion"
79reference = "https://attack.mitre.org/tactics/TA0005/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1559"
84name = "Inter-Process Communication"
85reference = "https://attack.mitre.org/techniques/T1559/"
86[[rule.threat.technique.subtechnique]]
87id = "T1559.001"
88name = "Component Object Model"
89reference = "https://attack.mitre.org/techniques/T1559/001/"
90
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top