UAC Bypass via ICMLuaUtil Elevated COM Interface

Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/19"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
13to bypass UAC to stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
20risk_score = 73
21rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "high"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36process where host.os.type == "windows" and event.type == "start" and
37 process.parent.name == "dllhost.exe" and
38 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
39 process.pe.original_file_name != "WerFault.exe"
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1548"
47name = "Abuse Elevation Control Mechanism"
48reference = "https://attack.mitre.org/techniques/T1548/"
49[[rule.threat.technique.subtechnique]]
50id = "T1548.002"
51name = "Bypass User Account Control"
52reference = "https://attack.mitre.org/techniques/T1548/002/"
53
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1548"
65name = "Abuse Elevation Control Mechanism"
66reference = "https://attack.mitre.org/techniques/T1548/"
67[[rule.threat.technique.subtechnique]]
68id = "T1548.002"
69name = "Bypass User Account Control"
70reference = "https://attack.mitre.org/techniques/T1548/002/"
71
72
73
74[rule.threat.tactic]
75id = "TA0005"
76name = "Defense Evasion"
77reference = "https://attack.mitre.org/tactics/TA0005/"
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1559"
83name = "Inter-Process Communication"
84reference = "https://attack.mitre.org/techniques/T1559/"
85[[rule.threat.technique.subtechnique]]
86id = "T1559.001"
87name = "Component Object Model"
88reference = "https://attack.mitre.org/techniques/T1559/001/"
89
90
91
92[rule.threat.tactic]
93id = "TA0002"
94name = "Execution"
95reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top