splunk_escuAnomaly

Windows Handle Duplication in Known UAC-Bypass Binaries

The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.

MITRE ATT&CK

T1134.001

Detection Query

`sysmon` EventCode=10 TargetImage IN("*\\ComputerDefaults.exe", "*\\eventvwr.exe*", "*\\fodhelper.exe","*\\slui.exe","*\\sdclt.exe","*\\mmc.exe", "*\\colorcpl.exe","*\\wsreset.exe","*\\esentutl.exe", "*\PkgMgr.exe") AND NOT (SourceImage IN ("*C:\\Windows\\system32\\*","*C:\\Windows\\syswow64\\*","*C:\\Program Files\\*", "*C:\\Program Files (x86)\\*","%systemroot%\\*")) | eval g_access_decimal = tonumber(replace(GrantedAccess,"0x",""),16) | eval PROCESS_DUP_HANDLE = 64 | eval dup_handle_set = bit_and (g_access_decimal, PROCESS_DUP_HANDLE) | where dup_handle_set == PROCESS_DUP_HANDLE | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage GrantedAccess PROCESS_DUP_HANDLE g_access_decimal dup_handle_set Guid Opcode ProcessID SecurityID SourceProcessGUID SourceProcessId  TargetProcessGUID TargetProcessId UserID dest granted_access parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product CallTrace EventID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_handle_duplication_in_known_uac_bypass_binaries_filter`

Author

Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 10

References

https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

Tags

Castle RAT

Raw Content

name: Windows Handle Duplication in Known UAC-Bypass Binaries
id: d7369bf5-1315-4138-b927-2dd8bb8c1da7
version: 2
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.
data_source:
    - Sysmon EventID 10
search: '`sysmon` EventCode=10 TargetImage IN("*\\ComputerDefaults.exe", "*\\eventvwr.exe*", "*\\fodhelper.exe","*\\slui.exe","*\\sdclt.exe","*\\mmc.exe", "*\\colorcpl.exe","*\\wsreset.exe","*\\esentutl.exe", "*\PkgMgr.exe") AND NOT (SourceImage IN ("*C:\\Windows\\system32\\*","*C:\\Windows\\syswow64\\*","*C:\\Program Files\\*", "*C:\\Program Files (x86)\\*","%systemroot%\\*")) | eval g_access_decimal = tonumber(replace(GrantedAccess,"0x",""),16) | eval PROCESS_DUP_HANDLE = 64 | eval dup_handle_set = bit_and (g_access_decimal, PROCESS_DUP_HANDLE) | where dup_handle_set == PROCESS_DUP_HANDLE | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage GrantedAccess PROCESS_DUP_HANDLE g_access_decimal dup_handle_set Guid Opcode ProcessID SecurityID SourceProcessGUID SourceProcessId  TargetProcessGUID TargetProcessId UserID dest granted_access parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product CallTrace EventID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_handle_duplication_in_known_uac_bypass_binaries_filter`'
how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: It is possible legitimate applications will request access to list of know abused Windows UAC binaries process, filter as needed.
references:
    - https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A process $SourceImage$ is duplicating the handle token of $TargetImage$ on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: parent_process_name
          type: parent_process_name
tags:
    analytic_story:
        - Castle RAT
    asset_type: Endpoint
    mitre_attack_id:
        - T1134.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.001/uac_process_handle_dup/Computerdefaults_access.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog