UAC Bypass via ICMLuaUtil Elevated COM Interface

  1[metadata]
  2creation_date = "2020/10/19"
  3integration = ["endpoint", "windows", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
 11to bypass UAC to stealthily execute code with elevated permissions.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
 24references = ["https://github.com/hfiref0x/UACME"]
 25risk_score = 73
 26rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
 27severity = "high"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Privilege Escalation",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender XDR",
 37    "Resources: Investigation Guide",
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43process where host.os.type == "windows" and event.type == "start" and
 44 process.parent.name == "dllhost.exe" and
 45 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
 46 process.pe.original_file_name != "WerFault.exe" and
 47 not (process.executable : "?:\\Program Files\\WireGuard\\wireguard.exe" and process.args : "/installmanagerservice")
 48'''
 49
 50note = """## Triage and analysis
 51
 52### Investigating UAC Bypass via ICMLuaUtil Elevated COM Interface
 53
 54#### Possible investigation steps
 55
 56- What did the auto-elevated COM broker launch?
 57  - Focus: `process.name`, `process.executable`, `process.command_line`, `process.pe.original_file_name`, and `process.parent.args`.
 58  - Implication: escalate when the CLSID-specific broker launched a shell, script host, LOLBin, installer, user-writable binary, or relaunched payload; lower suspicion when the child is a signed Windows or endpoint-management helper whose protected path and arguments fit one recognized servicing or support workflow.
 59
 60- Does the elevated child look like a stable trusted binary or a staged payload?
 61  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.Ext.relative_file_creation_time`.
 62  - Implication: escalate when the child is unsigned, new, user-writable, renamed, hash-new, or PE-mismatched; lower suspicion only when identity, signer, age, and path fit a stable installed component.
 63
 64- Did the child receive an elevation state that changes risk for this user session?
 65  - Focus: `process.Ext.token.integrity_level_name`, `process.Ext.token.elevation_level`, `process.Ext.authentication_id`, and `user.id`.
 66  - Implication: escalate when a limited or interactive user context produced a high-integrity or full-elevation child without a matching maintenance task; lower suspicion when token and session align with a recognized elevated admin utility for the same user.
 67
 68- Which process initiated the brokered elevation behind `dllhost.exe`?
 69  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.effective_parent.executable`, and `process.Ext.effective_parent.name`.
 70  - Hint: if effective-parent fields are absent or repeat `dllhost.exe`, recover broader lineage and keep origin attribution unresolved rather than treating the COM broker as the real launcher.
 71  - Implication: escalate when the logical initiator is a script host, archive/temp path, renamed binary, remote-access tool, or unexplained user process; lower suspicion when it resolves to the same signed Windows or endpoint-management workflow as the child.
 72
 73- Did the elevated child spawn payloads, shells, or other post-elevation tools?
 74  - Focus: child process events from `process.entity_id`, checking `process.name`, `process.executable`, `process.command_line`, and `process.parent.executable`. $investigate_0
 75  - Hint: if `process.entity_id` is absent, recover children with `host.id` plus `process.pid` in a tight alert-time window and treat PID reuse as ambiguous.
 76  - Implication: escalate when the elevated child starts shells, script hosts, LOLBins, security-tool tampering, or payloads outside the recognized workflow; if no child process appears, scope the case to the broker launch rather than assuming the bypass failed.
 77
 78- If local evidence is suspicious or incomplete, does surrounding alert context expand scope?
 79  - Focus: related alerts for `host.id`, especially privilege-escalation, defense-evasion, masquerading, suspicious child-process, or tampering findings tied to `process.parent.args` or `process.executable`. $investigate_1
 80  - Hint: compare `user.id` alerts only to decide whether elevation is host-local or follows the user. $investigate_2
 81  - Hint: pivot on same executable and COM parent arguments. $investigate_3
 82  - Implication: broaden response scope when the same host or user also shows UAC-bypass, masquerading, or post-elevation execution; keep scope local when surrounding alerts are clean and broker, child, token, and follow-on evidence are coherent.
 83
 84- What disposition do the broker, child identity, launcher, token, follow-on activity, and scope support?
 85  - Escalate on unauthorized brokered CLSID launch, child identity, launcher, token, child-process, or alert-scope evidence; close only when alert-local and recovered process evidence bind one exact recognized workflow with no contradictory follow-on activity; preserve and escalate on mixed or incomplete evidence.
 86
 87### False positive analysis
 88
 89- Legitimate closure is narrow: signed Windows or enterprise endpoint-management helpers may use the elevated COM broker during servicing or support. Align identity (`process.executable`, signer, hash, and PE original name), broker context (`process.parent.args` and effective parent), token state, and absence of contradictory child-process or alert-scope evidence. Recently staged helpers also need `process.Ext.relative_file_creation_time`, hash or signer, parent context, and command line to fit the same update workflow; require outside confirmation when telemetry cannot explain the elevation.
 90- If workflow context is unavailable, recurrence for the same `host.id` or `user.id` can support the conclusion but cannot override contradictory local evidence.
 91- Before creating an exception, validate that child identity, signer or hash, `process.parent.args`, token state, and host or user scope stay stable across benign occurrences. Build the exception from that minimum confirmed pattern, and avoid exceptions on `process.parent.name`, `dllhost.exe`, or CLSID values alone.
 92
 93### Response and remediation
 94
 95- First, export the alert details, process tree, command line, hash/signature identity, token state, effective-parent evidence, and recovered child-process or related-alert records.
 96- If confirmed benign after preservation, reverse temporary containment and document the validated child identity, broker CLSID, effective parent, token state, `host.id`, and `user.id` values that proved the workflow. Create an exception only after the same complete pattern repeats benignly.
 97- If suspicious but unconfirmed, apply reversible containment tied to the finding: block the suspicious `process.executable`, end the associated user session, or raise monitoring on the same `host.id`. Use host isolation only when the elevated child spawned payloads or coincided with tampering or lateral-movement evidence.
 98- If confirmed malicious, isolate the host when needed to prevent lateral movement, then terminate the elevated child and payloads using the preserved `process.entity_id`, `process.hash.sha256`, command line, broker CLSID, token state, and `@timestamp`. If direct response is unavailable, hand off the preserved process, child-process, and scope evidence to the response team.
 99- Review other hosts and users for the same `process.parent.args`, `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, or `user.id` before removing artifacts so scoping completes before evidence is destroyed.
100- Eradicate only the staged helper binary, launched payloads, persistence changes, and launcher artifacts identified during the investigation, then restore affected controls and service configuration to a known-good state.
101- Post-incident hardening: reduce local administrator membership where possible, set UAC to the highest practical enforcement level, restrict system lookalike or helper binaries from user-writable paths, prefer WDAC or AppLocker coverage for admin helpers, and retain process telemetry around elevated COM abuse.
102"""
103
104setup = """## Setup
105
106This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
107
108Setup instructions: https://ela.st/install-elastic-defend
109
110### Additional data sources
111
112This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
113
114- [Microsoft Defender XDR](https://ela.st/m365-defender)
115- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
116"""
117
118[rule.investigation_fields]
119field_names = [
120    "@timestamp",
121    "host.id",
122    "user.id",
123    "process.entity_id",
124    "process.pid",
125    "process.executable",
126    "process.command_line",
127    "process.pe.original_file_name",
128    "process.code_signature.subject_name",
129    "process.code_signature.trusted",
130    "process.hash.sha256",
131    "process.parent.args",
132    "process.Ext.effective_parent.executable",
133    "process.Ext.token.integrity_level_name",
134    "process.Ext.token.elevation_level",
135]
136
137[transform]
138
139[[transform.investigate]]
140label = "Child processes launched by the elevated child process"
141description = ""
142providers = [
143  [
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
145    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
146    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
147  ]
148]
149relativeFrom = "now-1h"
150relativeTo = "now"
151
152[[transform.investigate]]
153label = "Alerts associated with the host"
154description = ""
155providers = [
156  [
157    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
158    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
159  ]
160]
161relativeFrom = "now-48h/h"
162relativeTo = "now"
163
164[[transform.investigate]]
165label = "Alerts associated with the user"
166description = ""
167providers = [
168  [
169    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
170    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
171  ]
172]
173relativeFrom = "now-48h/h"
174relativeTo = "now"
175
176[[transform.investigate]]
177label = "Process events for the same child and COM interface"
178description = ""
179providers = [
180  [
181    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
182    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" },
183    { excluded = false, field = "process.parent.args", queryType = "phrase", value = "{{process.parent.args}}", valueType = "string" }
184  ]
185]
186relativeFrom = "now-48h/h"
187relativeTo = "now"
188
189[[rule.threat]]
190framework = "MITRE ATT&CK"
191
192[[rule.threat.technique]]
193id = "T1548"
194name = "Abuse Elevation Control Mechanism"
195reference = "https://attack.mitre.org/techniques/T1548/"
196
197[[rule.threat.technique.subtechnique]]
198id = "T1548.002"
199name = "Bypass User Account Control"
200reference = "https://attack.mitre.org/techniques/T1548/002/"
201
202[rule.threat.tactic]
203id = "TA0004"
204name = "Privilege Escalation"
205reference = "https://attack.mitre.org/tactics/TA0004/"
206
207[[rule.threat]]
208framework = "MITRE ATT&CK"
209
210[[rule.threat.technique]]
211id = "T1548"
212name = "Abuse Elevation Control Mechanism"
213reference = "https://attack.mitre.org/techniques/T1548/"
214
215[[rule.threat.technique.subtechnique]]
216id = "T1548.002"
217name = "Bypass User Account Control"
218reference = "https://attack.mitre.org/techniques/T1548/002/"
219
220[rule.threat.tactic]
221id = "TA0005"
222name = "Defense Evasion"
223reference = "https://attack.mitre.org/tactics/TA0005/"
224
225[[rule.threat]]
226framework = "MITRE ATT&CK"
227
228[[rule.threat.technique]]
229id = "T1559"
230name = "Inter-Process Communication"
231reference = "https://attack.mitre.org/techniques/T1559/"
232
233[[rule.threat.technique.subtechnique]]
234id = "T1559.001"
235name = "Component Object Model"
236reference = "https://attack.mitre.org/techniques/T1559/001/"
237
238[rule.threat.tactic]
239id = "TA0002"
240name = "Execution"
241reference = "https://attack.mitre.org/tactics/TA0002/"