UAC Bypass via ICMLuaUtil Elevated COM Interface
Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
11to bypass UAC to stealthily execute code with elevated permissions.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
18risk_score = 73
19rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
20setup = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
25`event.ingested` to @timestamp.
26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
27"""
28severity = "high"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Privilege Escalation",
34 "Tactic: Defense Evasion",
35 "Tactic: Execution",
36 "Data Source: Elastic Endgame",
37 "Data Source: Elastic Defend",
38 "Data Source: Sysmon",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 process.parent.name == "dllhost.exe" and
46 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
47 process.pe.original_file_name != "WerFault.exe"
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1548"
55name = "Abuse Elevation Control Mechanism"
56reference = "https://attack.mitre.org/techniques/T1548/"
57[[rule.threat.technique.subtechnique]]
58id = "T1548.002"
59name = "Bypass User Account Control"
60reference = "https://attack.mitre.org/techniques/T1548/002/"
61
62
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1548"
72name = "Abuse Elevation Control Mechanism"
73reference = "https://attack.mitre.org/techniques/T1548/"
74[[rule.threat.technique.subtechnique]]
75id = "T1548.002"
76name = "Bypass User Account Control"
77reference = "https://attack.mitre.org/techniques/T1548/002/"
78
79
80
81[rule.threat.tactic]
82id = "TA0005"
83name = "Defense Evasion"
84reference = "https://attack.mitre.org/tactics/TA0005/"
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1559"
89name = "Inter-Process Communication"
90reference = "https://attack.mitre.org/techniques/T1559/"
91[[rule.threat.technique.subtechnique]]
92id = "T1559.001"
93name = "Component Object Model"
94reference = "https://attack.mitre.org/techniques/T1559/001/"
95
96
97
98[rule.threat.tactic]
99id = "TA0002"
100name = "Execution"
101reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- Command Shell Activity Started via RunDLL32
- Microsoft Build Engine Using an Alternate Name