LoFP LoFP / including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.

Techniques

Sample rules

Windows UAC Bypass Suspicious Escalation Behavior

Description

The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.

Detection logic


| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) 
| rename process_guid as join_guid_1, process* as parent_process* 
| join max=0 dest join_guid_1 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] 
| join max=0 dest join_guid_2 [
| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| rename parent_process_guid as join_guid_2 
| eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] 
| where elevated_integrity_level > original_integrity_level 
| table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_uac_bypass_suspicious_escalation_behavior_filter`

Windows UAC Bypass Suspicious Child Process

Description

The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory 
| `drop_dm_object_name(Processes)` 
| where parent_process_name != process_name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_uac_bypass_suspicious_child_process_filter`