← Back to Explore
splunk_escuTTP
Windows UAC Bypass Suspicious Escalation Behavior
The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
Detection Query
| tstats `security_content_summariesonly`
count max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.process_integrity_level IN (
"low",
"medium"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| eval original_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
| rename process_guid as join_guid_1,
process* as parent_process*
| join max=0 dest join_guid_1 [
| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE
Processes.process_integrity_level IN (
"high",
"system"
)
Processes.process_name IN (`uacbypass_process_name`)
BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process_guid
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_1,
process_guid as join_guid_2,
process_name as uac_process_name
]
| join max=0 dest join_guid_2 [
| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name IN (`uacbypass_process_name`)
Processes.process_integrity_level IN (
"high",
"system"
)
BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process
Processes.process_guid Processes.process_path
Processes.process_integrity_level Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_2
| eval elevated_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
]
| where elevated_integrity_level > original_integrity_level
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_uac_bypass_suspicious_escalation_behavior_filter`Author
Steven Dick
Created
2026-03-25
Data Sources
Sysmon EventID 1 AND Sysmon EventID 1
References
Tags
Living Off The LandCompromised Windows HostWindows Defense Evasion Tactics
Raw Content
name: Windows UAC Bypass Suspicious Escalation Behavior
id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3
version: 12
date: '2026-03-25'
author: Steven Dick
status: production
type: TTP
description: |-
The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process.
This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables.
This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges.
If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
data_source:
- Sysmon EventID 1 AND Sysmon EventID 1
search: |-
| tstats `security_content_summariesonly`
count max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.process_integrity_level IN (
"low",
"medium"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| eval original_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
| rename process_guid as join_guid_1,
process* as parent_process*
| join max=0 dest join_guid_1 [
| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE
Processes.process_integrity_level IN (
"high",
"system"
)
Processes.process_name IN (`uacbypass_process_name`)
BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process_guid
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_1,
process_guid as join_guid_2,
process_name as uac_process_name
]
| join max=0 dest join_guid_2 [
| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name IN (`uacbypass_process_name`)
Processes.process_integrity_level IN (
"high",
"system"
)
BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process
Processes.process_guid Processes.process_path
Processes.process_integrity_level Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_2
| eval elevated_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
]
| where elevated_integrity_level > original_integrity_level
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_uac_bypass_suspicious_escalation_behavior_filter`
how_to_implement: |-
Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.
known_false_positives: |-
Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.
references:
- https://attack.mitre.org/techniques/T1548/002/
- https://atomicredteam.io/defense-evasion/T1548.002/
- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
drilldown_searches:
- name: View the detection results for - "$dest$" and "$user$"
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A UAC bypass behavior was detected by process $parent_process_name$ on host $dest$ by $user$.
risk_objects:
- field: dest
type: system
score: 50
- field: user
type: user
score: 50
threat_objects:
- field: process_name
type: process_name
- field: process_name
type: process_name
- field: parent_process_name
type: parent_process_name
tags:
analytic_story:
- Living Off The Land
- Compromised Windows Host
- Windows Defense Evasion Tactics
asset_type: Endpoint
mitre_attack_id:
- T1548.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog