Windows UAC Bypass Suspicious Child Process
Description
The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-05-22
- Author: Steven Dick
- ID: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| where parent_process_name != process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_uac_bypass_suspicious_child_process_filter`
Macros
The SPL above uses the following Macros:
windows_uac_bypass_suspicious_child_process_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- Processes.dest
- Processes.user
- Processes.parent_process_guid
- Processes.parent_process
- Processes.parent_process_name
- Processes.process_name Processes.process
- Processes.process_path
- Processes.process_integrity_level
- Processes.process_current_directory
How To Implement
Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.
Known False Positives
Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
45.0 | 60 | 75 | A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1548/002/
- https://atomicredteam.io/defense-evasion/T1548.002/
- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2