UAC Bypass Tools Using ComputerDefaults

Apr 28, 2026 · attack.privilege-escalation attack.t1548.002 ·

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

Sigma rule (View on GitHub)

 1title: UAC Bypass Tools Using ComputerDefaults
 2id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
 3status: test
 4description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
 5references:
 6    - https://github.com/hfiref0x/UACME
 7author: Christian Burkard (Nextron Systems)
 8date: 2021-08-31
 9modified: 2024-12-01
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.002
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        IntegrityLevel:
19            - 'High'
20            - 'System'
21            - 'S-1-16-16384' # System
22            - 'S-1-16-12288' # High
23        Image: 'C:\Windows\System32\ComputerDefaults.exe'
24    filter:
25        ParentImage|contains:
26            - ':\Windows\System32'
27            - ':\Program Files'
28    condition: selection and not filter
29falsepositives:
30    - Unknown
31level: high

References

https://github.com/hfiref0x/UACME

Read More

UAC Bypass Tools Using ComputerDefaults

Sigma rule (View on GitHub)

References

https://github.com/hfiref0x/UACME

Related rules