UAC Bypass Using Windows Media Player - Process

Title: UAC Bypass Using Windows Media Player - Process
Status: test
Description:Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
References:
  -https://github.com/hfiref0x/UACME
Author: Christian Burkard (Nextron Systems)
Date: 2021-08-23
modified:2024-12-01
Tags:

• -'attack.defense-evasion'
• -'attack.privilege-escalation'
• -'attack.t1548.002'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection_img_1:
    Image: 'C:\Program Files\Windows Media Player\osk.exe'
  selection_img_2:
    Image: 'C:\Windows\System32\cmd.exe'
    ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
  selection_integrity:
    IntegrityLevel:
      -'High'
      -'System'
      -'S-1-16-16384'
      -'S-1-16-12288'

  condition:1 of selection_img_* and selection_integrity
Falsepositives:
  -Unknown
Level: high