UAC Bypass Attempt via Privileged IFileOperation COM Interface

  1[metadata]
  2creation_date = "2020/10/27"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to
 13stealthily execute code with elevated permissions.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface"
 20references = [
 21    "https://github.com/hfiref0x/UACME",
 22    "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies",
 23]
 24risk_score = 73
 25rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Privilege Escalation",
 32    "Tactic: Defense Evasion",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender for Endpoint",
 37    "Data Source: SentinelOne",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and
 45  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */
 46  file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and
 47  /* has no impact on rule logic just to avoid OS install related FPs */
 48  not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*")
 49'''
 50note = """## Triage and analysis
 51
 52> **Disclaimer**:
 53> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 54
 55### Investigating UAC Bypass Attempt via Privileged IFileOperation COM Interface
 56
 57The IFileOperation COM interface is a Windows component used for file operations with elevated privileges. Adversaries exploit this by side-loading malicious DLLs into processes like dllhost.exe, bypassing UAC to gain elevated permissions stealthily. The detection rule identifies such attempts by monitoring changes in specific DLLs loaded into high-integrity processes, filtering out benign system paths to reduce false positives.
 58
 59### Possible investigation steps
 60
 61- Review the alert details to confirm the process name is "dllhost.exe" and verify the integrity level of the process to ensure it is running with high or system integrity.
 62- Check the file name involved in the alert to see if it matches any of the known malicious DLLs such as "wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", or "Accessibility.ni.dll".
 63- Investigate the file path of the loaded DLL to ensure it does not originate from benign system paths like "C:\\Windows\\SoftwareDistribution\\" or "C:\\Windows\\WinSxS\\".
 64- Analyze the parent process of "dllhost.exe" to determine how it was initiated and whether it aligns with expected behavior or indicates potential compromise.
 65- Review recent system changes or installations that might have introduced the suspicious DLL, focusing on any unauthorized or unexpected software installations.
 66- Correlate the event with other security logs or alerts from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns.
 67- Assess the risk and impact of the potential UAC bypass attempt and determine if further containment or remediation actions are necessary.
 68
 69### False positive analysis
 70
 71- System updates and installations can trigger false positives due to legitimate changes in DLLs. Exclude paths related to Windows updates and installations, such as C:\\Windows\\SoftwareDistribution\\* and C:\\Windows\\WinSxS\\*.
 72- Certain legitimate software may use DLLs like comctl32.dll or duser.dll in a manner that mimics side-loading. Identify and whitelist these applications if they are known and trusted within your environment.
 73- Security software or system management tools might perform operations that resemble UAC bypass attempts. Review and exclude these tools if they are verified as safe and necessary for your operations.
 74- Regularly review and update the list of known benign DLLs and paths to ensure that new legitimate software does not trigger false positives.
 75- Monitor for patterns of repeated false positives from specific processes or paths and consider creating exceptions for these scenarios after thorough validation.
 76
 77### Response and remediation
 78
 79- Isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 80- Terminate the dllhost.exe process if it is confirmed to be involved in the UAC bypass attempt to stop any ongoing malicious activity.
 81- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious DLLs or associated malware.
 82- Review and restore any modified system files or settings to their original state to ensure system integrity.
 83- Apply any pending security patches and updates to the operating system and installed software to mitigate known vulnerabilities.
 84- Monitor the network for any signs of similar activity or attempts to exploit the IFileOperation COM interface on other systems.
 85- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1548"
 92name = "Abuse Elevation Control Mechanism"
 93reference = "https://attack.mitre.org/techniques/T1548/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1548.002"
 96name = "Bypass User Account Control"
 97reference = "https://attack.mitre.org/techniques/T1548/002/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1548"
109name = "Abuse Elevation Control Mechanism"
110reference = "https://attack.mitre.org/techniques/T1548/"
111[[rule.threat.technique.subtechnique]]
112id = "T1548.002"
113name = "Bypass User Account Control"
114reference = "https://attack.mitre.org/techniques/T1548/002/"
115
116
117[[rule.threat.technique]]
118id = "T1574"
119name = "Hijack Execution Flow"
120reference = "https://attack.mitre.org/techniques/T1574/"
121[[rule.threat.technique.subtechnique]]
122id = "T1574.002"
123name = "DLL Side-Loading"
124reference = "https://attack.mitre.org/techniques/T1574/002/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"