Windows UAC Bypass Suspicious Child Process

Try in Splunk Security Cloud

Description

The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-11-20
• Author: Steven Dick
• ID: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1548	Abuse Elevation Control Mechanism	Privilege Escalation, Defense Evasion

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| where parent_process_name != process_name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_uac_bypass_suspicious_child_process_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly
• uacbypass_process_name

windows_uac_bypass_suspicious_child_process_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Processes.dest
• Processes.user
• Processes.parent_process_guid
• Processes.parent_process
• Processes.parent_process_name
• Processes.process_name Processes.process
• Processes.process_path
• Processes.process_integrity_level
• Processes.process_current_directory

How To Implement

Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.

Known False Positives

Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.

Associated Analytic Story

• Windows Defense Evasion Tactics
• Living Off The Land

RBA

Risk Score	Impact	Confidence	Message
45.0	60	75	A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1548/002/
• https://atomicredteam.io/defense-evasion/T1548.002/
• https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1