UAC Bypass Attempt via Privileged IFileOperation COM Interface

 1[metadata]
 2creation_date = "2020/10/27"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to
13stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface"
20references = [
21    "https://github.com/hfiref0x/UACME",
22    "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies",
23]
24risk_score = 73
25rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "high"
35tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and
41  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */
42  file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and
43  /* has no impact on rule logic just to avoid OS install related FPs */
44  not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1548"
52name = "Abuse Elevation Control Mechanism"
53reference = "https://attack.mitre.org/techniques/T1548/"
54[[rule.threat.technique.subtechnique]]
55id = "T1548.002"
56name = "Bypass User Account Control"
57reference = "https://attack.mitre.org/techniques/T1548/002/"
58
59
60
61[rule.threat.tactic]
62id = "TA0004"
63name = "Privilege Escalation"
64reference = "https://attack.mitre.org/tactics/TA0004/"
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1548"
70name = "Abuse Elevation Control Mechanism"
71reference = "https://attack.mitre.org/techniques/T1548/"
72[[rule.threat.technique.subtechnique]]
73id = "T1548.002"
74name = "Bypass User Account Control"
75reference = "https://attack.mitre.org/techniques/T1548/002/"
76[[rule.threat.technique]]
77id = "T1574"
78name = "Hijack Execution Flow"
79reference = "https://attack.mitre.org/techniques/T1574/"
80[[rule.threat.technique.subtechnique]]
81id = "T1574.002"
82name = "DLL Side-Loading"
83reference = "https://attack.mitre.org/techniques/T1574/002/"
84
85
86
87[rule.threat.tactic]
88id = "TA0005"
89name = "Defense Evasion"
90reference = "https://attack.mitre.org/tactics/TA0005/"