UAC Bypass via ICMLuaUtil Elevated COM Interface
Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/19"
3integration = ["endpoint", "windows", "m365_defender"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
13to bypass UAC to stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
20risk_score = 73
21rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
22severity = "high"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Tactic: Defense Evasion",
29 "Tactic: Execution",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: Microsoft Defender for Endpoint",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40 process.parent.name == "dllhost.exe" and
41 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
42 process.pe.original_file_name != "WerFault.exe"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1548"
50name = "Abuse Elevation Control Mechanism"
51reference = "https://attack.mitre.org/techniques/T1548/"
52[[rule.threat.technique.subtechnique]]
53id = "T1548.002"
54name = "Bypass User Account Control"
55reference = "https://attack.mitre.org/techniques/T1548/002/"
56
57
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1548"
67name = "Abuse Elevation Control Mechanism"
68reference = "https://attack.mitre.org/techniques/T1548/"
69[[rule.threat.technique.subtechnique]]
70id = "T1548.002"
71name = "Bypass User Account Control"
72reference = "https://attack.mitre.org/techniques/T1548/002/"
73
74
75
76[rule.threat.tactic]
77id = "TA0005"
78name = "Defense Evasion"
79reference = "https://attack.mitre.org/tactics/TA0005/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1559"
84name = "Inter-Process Communication"
85reference = "https://attack.mitre.org/techniques/T1559/"
86[[rule.threat.technique.subtechnique]]
87id = "T1559.001"
88name = "Component Object Model"
89reference = "https://attack.mitre.org/techniques/T1559/001/"
90
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Bypass UAC via Event Viewer