UAC Bypass Attempt via Privileged IFileOperation COM Interface
Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/27"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to
13stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25 "https://github.com/hfiref0x/UACME",
26 "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies",
27]
28risk_score = 73
29rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3"
30severity = "high"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and
37 /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */
38 file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and
39 /* has no impact on rule logic just to avoid OS install related FPs */
40 not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1548"
48name = "Abuse Elevation Control Mechanism"
49reference = "https://attack.mitre.org/techniques/T1548/"
50[[rule.threat.technique.subtechnique]]
51id = "T1548.002"
52name = "Bypass User Account Control"
53reference = "https://attack.mitre.org/techniques/T1548/002/"
54
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.
Read More -
In this research article, we will take a look at a collection of UAC bypasses, investigate some of the key primitives they depend on, and explore detection opportunities.
Read More
Related rules
- Bypass UAC via Event Viewer
- Disabling User Account Control via Registry Modification
- Local Account TokenFilter Policy Disabled
- Potential LSA Authentication Package Abuse
- Potential Port Monitor or Print Processor Registration Abuse