UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
Sigma rule (View on GitHub)
1title: UAC Bypass via ICMLuaUtil
2id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
3status: test
4description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
5references:
6 - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
7author: Florian Roth (Nextron Systems), Elastic (idea)
8date: 2022/09/13
9modified: 2022/09/27
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\dllhost.exe'
20 ParentCommandLine|contains:
21 - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
22 - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
23 filter:
24 - Image|endswith: '\WerFault.exe'
25 - OriginalFileName: 'WerFault.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
-
UAC Bypass via ICMLuaUtil Elevated COM Interfaceedit Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthi...
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Function Call From Undocumented COM Interface EditionUpgradeManager
- HackTool - UACMe Akagi Execution
- UAC Bypass via Event Viewer