UAC Bypass via ICMLuaUtil Elevated COM Interface

  1[metadata]
  2creation_date = "2020/10/19"
  3integration = ["endpoint", "windows", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
 13to bypass UAC to stealthily execute code with elevated permissions.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
 20risk_score = 73
 21rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
 22severity = "high"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Privilege Escalation",
 28    "Tactic: Defense Evasion",
 29    "Tactic: Execution",
 30    "Data Source: Elastic Endgame",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Data Source: Microsoft Defender for Endpoint",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40process where host.os.type == "windows" and event.type == "start" and
 41 process.parent.name == "dllhost.exe" and
 42 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
 43 process.pe.original_file_name != "WerFault.exe"
 44'''
 45note = """## Triage and analysis
 46
 47> **Disclaimer**:
 48> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 49
 50### Investigating UAC Bypass via ICMLuaUtil Elevated COM Interface
 51
 52The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates User Account Control (UAC) operations, allowing certain processes to execute with elevated privileges. Adversaries exploit this by invoking the interface to bypass UAC, executing malicious code stealthily. The detection rule identifies such attempts by monitoring processes initiated by `dllhost.exe` with specific arguments, excluding legitimate processes like `WerFault.exe`, thus flagging potential privilege escalation activities.
 53
 54### Possible investigation steps
 55
 56- Review the process tree to identify the parent and child processes of the flagged `dllhost.exe` instance to understand the context of its execution.
 57- Examine the command-line arguments of the `dllhost.exe` process to confirm the presence of the suspicious `/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}` or `/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}` arguments.
 58- Check for any recent changes or installations on the system that might have introduced the suspicious behavior, focusing on software that might interact with UAC settings.
 59- Investigate the user account under which the `dllhost.exe` process was executed to determine if it has been compromised or if it has elevated privileges.
 60- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns.
 61- Assess the network activity of the affected system around the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses.
 62
 63### False positive analysis
 64
 65- Legitimate software updates or installations may trigger the rule if they use the ICMLuaUtil Elevated COM Interface for necessary elevation. Users can monitor the specific software involved and create exceptions for trusted applications.
 66- System maintenance tasks initiated by IT administrators might use similar processes for legitimate purposes. Identifying these tasks and excluding them from the rule can reduce false positives.
 67- Certain enterprise applications may require elevated privileges and use the same COM interface. Regularly review and whitelist these applications to prevent unnecessary alerts.
 68- Automated scripts or tools used for system management that invoke the interface should be evaluated. If deemed safe, they can be added to an exclusion list to avoid repeated false positives.
 69- Regularly update the list of excluded processes to reflect changes in the organization's software environment, ensuring that only non-threatening behaviors are excluded.
 70
 71### Response and remediation
 72
 73- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 74- Terminate any suspicious processes initiated by `dllhost.exe` with the specified arguments to stop the execution of potentially malicious code.
 75- Conduct a thorough review of the affected system to identify any unauthorized changes or additional malicious files, and remove them.
 76- Restore the system from a known good backup if any critical system files or configurations have been altered.
 77- Update and patch the operating system and all installed software to mitigate any known vulnerabilities that could be exploited for UAC bypass.
 78- Implement application whitelisting to prevent unauthorized applications from executing, focusing on blocking the execution of `dllhost.exe` with suspicious arguments.
 79- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1548"
 86name = "Abuse Elevation Control Mechanism"
 87reference = "https://attack.mitre.org/techniques/T1548/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1548.002"
 90name = "Bypass User Account Control"
 91reference = "https://attack.mitre.org/techniques/T1548/002/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0004"
 97name = "Privilege Escalation"
 98reference = "https://attack.mitre.org/tactics/TA0004/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1548"
103name = "Abuse Elevation Control Mechanism"
104reference = "https://attack.mitre.org/techniques/T1548/"
105[[rule.threat.technique.subtechnique]]
106id = "T1548.002"
107name = "Bypass User Account Control"
108reference = "https://attack.mitre.org/techniques/T1548/002/"
109
110
111
112[rule.threat.tactic]
113id = "TA0005"
114name = "Defense Evasion"
115reference = "https://attack.mitre.org/tactics/TA0005/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1559"
120name = "Inter-Process Communication"
121reference = "https://attack.mitre.org/techniques/T1559/"
122[[rule.threat.technique.subtechnique]]
123id = "T1559.001"
124name = "Component Object Model"
125reference = "https://attack.mitre.org/techniques/T1559/001/"
126
127
128
129[rule.threat.tactic]
130id = "TA0002"
131name = "Execution"
132reference = "https://attack.mitre.org/tactics/TA0002/"