Techniques
Sample rules
SLUI RunAs Elevated
- source: splunk
- technicques:
- T1548.002
- T1548
Description
The following analytic identifies the Microsoft Software Licensing User Interface Tool, slui.exe, elevating access using the -verb runas function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are HKCU\Software\Classes\exefile\shell and HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command. To simulate this behavior, multiple POC are available. The analytic identifies the use of runas by slui.exe.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `slui_runas_elevated_filter`