UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Sigma rule (View on GitHub)
1title: UAC Bypass Using NTFS Reparse Point - Process
2id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
3status: test
4description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
5references:
6 - https://github.com/hfiref0x/UACME
7author: Christian Burkard (Nextron Systems)
8date: 2021-08-30
9modified: 2024-12-01
10tags:
11 - attack.privilege-escalation
12 - attack.t1548.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\'
19 CommandLine|endswith: '\AppData\Local\Temp\update.msu'
20 IntegrityLevel:
21 - 'High'
22 - 'System'
23 - 'S-1-16-16384' # System
24 - 'S-1-16-12288' # High
25 selection2:
26 ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
27 IntegrityLevel:
28 - 'High'
29 - 'System'
30 CommandLine|contains|all:
31 - 'C:\Users\'
32 - '\AppData\Local\Temp\'
33 - '\dismhost.exe {'
34 Image|endswith: '\DismHost.exe'
35 condition: 1 of selection*
36falsepositives:
37 - Unknown
38level: high
References
Related rules
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP