UAC Bypass via ICMLuaUtil Elevated COM Interface

calendarMar 6, 2023  ·
Share on: linkedincopy

Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/19"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt
13to bypass UAC to stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 73
25rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
26severity = "high"
27tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32process where host.os.type == "windows" and event.type == "start" and
33 process.parent.name == "dllhost.exe" and
34 process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and
35 process.pe.original_file_name != "WerFault.exe"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1548"
43name = "Abuse Elevation Control Mechanism"
44reference = "https://attack.mitre.org/techniques/T1548/"
45[[rule.threat.technique.subtechnique]]
46id = "T1548.002"
47name = "Bypass User Account Control"
48reference = "https://attack.mitre.org/techniques/T1548/002/"
49
50
51
52[rule.threat.tactic]
53id = "TA0004"
54name = "Privilege Escalation"
55reference = "https://attack.mitre.org/tactics/TA0004/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top