Name:Windows UAC Bypass Suspicious Child Process id:453a6b0f-b0ea-48fa-9cf4-20537ffdd22c version:3 date:2024-09-30 author:Steven Dick status:production type:TTP Description:The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`
how_to_implement:Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. known_false_positives:Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. References: -https://attack.mitre.org/techniques/T1548/002/ -https://atomicredteam.io/defense-evasion/T1548.002/ -https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/ -https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Defense Evasion Tactics' - 'Living Off The Land' asset_type:Endpoint confidence:75 impact:60 message:A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$. mitre_attack_id: - 'T1548' - 'T1548.002' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' name:'process_name' type:'Process Name' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'Processes.dest' - 'Processes.user' - 'Processes.parent_process_guid' - 'Processes.parent_process' - 'Processes.parent_process_name' - 'Processes.process_name Processes.process' - 'Processes.process_path' - 'Processes.process_integrity_level' - 'Processes.process_current_directory' risk_score:45 security_domain:endpoint
