UAC Bypass Using ChangePK and SLUI

 1title: UAC Bypass Using ChangePK and SLUI
 2id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
 3status: test
 4description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
 5references:
 6    - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
 7    - https://github.com/hfiref0x/UACME
 8    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
 9author: Christian Burkard (Nextron Systems)
10date: 2021-08-23
11modified: 2024-12-01
12tags:
13    - attack.privilege-escalation
14    - attack.t1548.002
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\changepk.exe'
21        ParentImage|endswith: '\slui.exe'
22        IntegrityLevel:
23            - 'High'
24            - 'System'
25            - 'S-1-16-16384' # System
26            - 'S-1-16-12288' # High
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

• https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b

  
  Read More

• https://github.com/hfiref0x/UACME

  
  Read More

• https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf

  
  Read More

Related rules

• Always Install Elevated MSI Spawned Cmd And Powershell
• Always Install Elevated Windows Installer
• Bypass UAC Using DelegateExecute
• Bypass UAC Using SilentCleanup Task
• Bypass UAC via CMSTP