UAC Bypass

## UAC Bypass

Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.

### ATT&CK Coverage

|Technique |Level of Coverage |
|---|---|
|[Bypass User Account Control](https://attack.mitre.org/techniques/T1088/)|Medium|

### Analytic Code
**Language**: Splunk .
**Data Mode**l: Sysmon Native

`
index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"),  "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
`
### Test Cases
Using [UACME](https://github.com/hfiref0x/UACME):

- `akagi64.exe 23`
- `akagi64.exe 32`
- `akagi64.exe 33`
- `akagi64.exe 34`
- `akagi64.exe 36`
- `akagi64.exe 37`
- `akagi64.exe 45`

### Data Model Mappings

|Object|Action|Field|
|---|---|---|
| `process` | `create` | `image_path` |
| `process` | `create` | `parent_image_path` |
|` process` | `create` | `integrity_level` |
|` process` | `create` | `user` |
|` process` | `create` | `parent_command_line` |

## Developer Certificate of Origin
DCO signed-off-by: Ivan Kirillov <ikirillov@mitre.org>


Object	Action	Field
`process`	`create`	`image_path`
`process`	`create`	`parent_image_path`
`process`	`create`	`integrity_level`
`process`	`create`	`user`
`process`	`create`	`parent_command_line`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

UAC Bypass #6

UAC Bypass

ATT&CK Coverage

Analytic Code

Test Cases

Data Model Mappings

Developer Certificate of Origin

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

UAC Bypass #6

Description

UAC Bypass

ATT&CK Coverage

Analytic Code

Test Cases

Data Model Mappings

Developer Certificate of Origin

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions