Windows UAC Bypass Suspicious Escalation Behavior

Name:Windows UAC Bypass Suspicious Escalation Behavior
id:00d050d3-a5b4-4565-a6a5-a31f69681dc3
version:13
date:2026-04-15
author:Steven Dick
status:production
type:TTP
Description:The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
Data_source:

• -Sysmon EventID 1 AND Sysmon EventID 1

search:| tstats `security_content_summariesonly`
count max(_time) as lastTime

FROM datamodel=Endpoint.Processes WHERE

Processes.process_integrity_level IN (
"low",
"medium"
)

BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| eval original_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
| rename process_guid as join_guid_1,
process* as parent_process*

| join max=0 dest join_guid_1 [

| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE

Processes.process_integrity_level IN (
"high",
"system"
)
Processes.process_name IN (`uacbypass_process_name`)

BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process_guid


| `drop_dm_object_name(Processes)`

| rename parent_process_guid as join_guid_1,
process_guid as join_guid_2,
process_name as uac_process_name
]

| join max=0 dest join_guid_2 [

| tstats `security_content_summariesonly`
count min(_time) as firstTime
FROM datamodel=Endpoint.Processes WHERE

Processes.parent_process_name IN (`uacbypass_process_name`)
Processes.process_integrity_level IN (
"high",
"system"
)
BY Processes.dest Processes.parent_process_guid
Processes.process_name Processes.process
Processes.process_guid Processes.process_path
Processes.process_integrity_level Processes.process_current_directory


| `drop_dm_object_name(Processes)`


| rename parent_process_guid as join_guid_2


| eval elevated_integrity_level = CASE(
match(process_integrity_level,"low"),1,
match(process_integrity_level,"medium"),2,
match(process_integrity_level,"high"),3,
match(process_integrity_level,"system"),4,
true(),0
)
]
| where elevated_integrity_level > original_integrity_level
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_uac_bypass_suspicious_escalation_behavior_filter`

how_to_implement:Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.
known_false_positives:Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.
References:
  -https://attack.mitre.org/techniques/T1548/002/
  -https://atomicredteam.io/defense-evasion/T1548.002/
  -https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
  -https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
drilldown_searches:
 name:'View the detection results for - "$dest$" and "$user$"'
 search:'%original_detection_search% | search dest = "$dest$" user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$dest$" and "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'7d'
 latest_offset:'0'
tags:
  analytic_story:
    - 'Living Off The Land'
    - 'Compromised Windows Host'
    - 'Windows Defense Evasion Tactics'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1548.002'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None