Techniques
Sample rules
UAC Bypass With Colorui COM Object
- source: splunk
- technicques:
- T1218
- T1218.003
Description
This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.
Detection logic
`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `uac_bypass_with_colorui_com_object_filter`