UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
Sigma rule (View on GitHub)
1title: UAC Bypass via ICMLuaUtil
2id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
3status: test
4description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
5references:
6 - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
7author: Florian Roth (Nextron Systems), Elastic (idea)
8date: 2022-09-13
9modified: 2022-09-27
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\dllhost.exe'
20 ParentCommandLine|contains:
21 - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
22 - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
23 filter:
24 - Image|endswith: '\WerFault.exe'
25 - OriginalFileName: 'WerFault.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager