UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
Sigma rule (View on GitHub)
1title: UAC Bypass via ICMLuaUtil
2id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
3status: test
4description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
5references:
6 - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
7author: Florian Roth (Nextron Systems), Elastic (idea)
8date: 2022-09-13
9modified: 2022-09-27
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\dllhost.exe'
20 ParentCommandLine|contains:
21 - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
22 - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
23 filter:
24 - Image|endswith: '\WerFault.exe'
25 - OriginalFileName: 'WerFault.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
-
UAC Bypass via ICMLuaUtil Elevated COM Interface edit Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealth...
Read More
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access