LoFP LoFP / including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.

Techniques

Sample rules

Windows UAC Bypass Suspicious Escalation Behavior

Description

The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.

Detection logic


| tstats `security_content_summariesonly`
  count max(_time) as lastTime

FROM datamodel=Endpoint.Processes WHERE

Processes.process_integrity_level IN (
    "low",
    "medium"
)

BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`


| eval original_integrity_level = CASE(
            match(process_integrity_level,"low"),1,
            match(process_integrity_level,"medium"),2,
            match(process_integrity_level,"high"),3,
            match(process_integrity_level,"system"),4,
            true(),0
        )

| rename process_guid as join_guid_1,
         process* as parent_process*


| join max=0 dest join_guid_1 [
    
| tstats `security_content_summariesonly`
      count min(_time) as firstTime
    FROM datamodel=Endpoint.Processes WHERE

    Processes.process_integrity_level IN (
        "high",
        "system"
    )
    Processes.process_name IN (`uacbypass_process_name`)

    BY Processes.dest Processes.parent_process_guid
       Processes.process_name Processes.process_guid

    
| `drop_dm_object_name(Processes)`
    
| rename parent_process_guid as join_guid_1,
             process_guid as join_guid_2,
             process_name as uac_process_name
]


| join max=0 dest join_guid_2 [
    
| tstats `security_content_summariesonly`
      count min(_time) as firstTime
    FROM datamodel=Endpoint.Processes WHERE

    Processes.parent_process_name IN (`uacbypass_process_name`)
    Processes.process_integrity_level IN (
        "high",
        "system"
    )
    BY Processes.dest Processes.parent_process_guid
       Processes.process_name Processes.process
       Processes.process_guid Processes.process_path
       Processes.process_integrity_level Processes.process_current_directory

    
| `drop_dm_object_name(Processes)`

    
| rename parent_process_guid as join_guid_2

    
| eval elevated_integrity_level = CASE(
        match(process_integrity_level,"low"),1,
        match(process_integrity_level,"medium"),2,
        match(process_integrity_level,"high"),3,
        match(process_integrity_level,"system"),4,
        true(),0
    )
]

| where elevated_integrity_level > original_integrity_level

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_uac_bypass_suspicious_escalation_behavior_filter`

Windows UAC Bypass Suspicious Child Process

Description

The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| where parent_process_name != process_name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_uac_bypass_suspicious_child_process_filter`