Windows UAC Bypass Suspicious Escalation Behavior
Description
The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-05-27
- Author: Steven Dick
- ID: 00d050d3-a5b4-4565-a6a5-a31f69681dc3
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)
| rename process_guid as join_guid_1, process* as parent_process*
| join max=0 dest join_guid_1 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ]
| join max=0 dest join_guid_2 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as join_guid_2
| eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)]
| where elevated_integrity_level > original_integrity_level
| table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_uac_bypass_suspicious_escalation_behavior_filter`
Macros
The SPL above uses the following Macros:
windows_uac_bypass_suspicious_escalation_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- Processes.dest
- Processes.user
- Processes.parent_process_guid
- Processes.parent_process
- Processes.parent_process_name
- Processes.process_name Processes.process
- Processes.process_path
- Processes.process_integrity_level
- Processes.process_current_directory
How To Implement
Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.
Known False Positives
Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
64.0 | 80 | 80 | A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1548/002/
- https://atomicredteam.io/defense-evasion/T1548.002/
- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2