Windows UAC Bypass Suspicious Escalation Behavior

Try in Splunk Security Cloud

Description

The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-11-20
• Author: Steven Dick
• ID: 00d050d3-a5b4-4565-a6a5-a31f69681dc3

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1548	Abuse Elevation Control Mechanism	Privilege Escalation, Defense Evasion

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename process_guid as join_guid_1, process* as parent_process* 
| join max=0 dest join_guid_1 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] 
| join max=0 dest join_guid_2 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| rename parent_process_guid as join_guid_2 
| eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] 
| where elevated_integrity_level > original_integrity_level 
| table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_uac_bypass_suspicious_escalation_behavior_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly
• uacbypass_process_name

windows_uac_bypass_suspicious_escalation_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Processes.dest
• Processes.user
• Processes.parent_process_guid
• Processes.parent_process
• Processes.parent_process_name
• Processes.process_name Processes.process
• Processes.process_path
• Processes.process_integrity_level
• Processes.process_current_directory

How To Implement

Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.

Known False Positives

Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.

Associated Analytic Story

• Windows Defense Evasion Tactics
• Living Off The Land

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1548/002/
• https://atomicredteam.io/defense-evasion/T1548.002/
• https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1