not so common. but 3rd part app may load this dll.

t1218
t1218.003
endpoint
splunk

Techniques

T1218
T1218.003

Sample rules

UAC Bypass With Colorui COM Object

source: splunk
technicques:
- T1218
- T1218.003

Description

This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.

Detection logic

`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `uac_bypass_with_colorui_com_object_filter`