sigmahighHunting

UAC Bypass via ICMLuaUtil

Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface

MITRE ATT&CK

defense-evasionprivilege-escalation

Detection Query

selection:
  ParentImage|endswith: \dllhost.exe
  ParentCommandLine|contains:
    - /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    - /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}
filter:
  - Image|endswith: \WerFault.exe
  - OriginalFileName: WerFault.exe
condition: selection and not filter

Author

Florian Roth (Nextron Systems), Elastic (idea)

Created

2022-09-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html

Tags

attack.defense-evasionattack.privilege-escalationattack.t1548.002

Raw Content

title: UAC Bypass via ICMLuaUtil
id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
status: test
description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
references:
    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
author: Florian Roth (Nextron Systems), Elastic (idea)
date: 2022-09-13
modified: 2022-09-27
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dllhost.exe'
        ParentCommandLine|contains:
            - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
            - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
    filter:
        - Image|endswith: '\WerFault.exe'
        - OriginalFileName: 'WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high