-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2019-04-001.yaml
61 lines (61 loc) · 4.3 KB
/
CAR-2019-04-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
title: UAC Bypass
submission_date: 2019/04/19
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2019-04-001
description: |-
Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.
coverage:
- technique: T1548
tactics:
- TA0005
subtechniques:
- T1548.002
coverage: Low
implementations:
- description: This Splunk query looks for specific invocations of UACME, representing different ways to bypass user account control.
code: |-
index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
type: splunk
data_model: Sysmon native
- description: This is a pseudocode version of the above Splunk query.
code: |-
processes = search Process:Create
possible_uac_bypass = filter processes where (
integrity_level == "High" and
(parent_image_path == "c:\windows\system32\fodhelper.exe") or
(command_line == "*.exe\"*cleanmgr.exe /autoclean*") or
(image_path == "c:\program files\windows media player\osk.exe") or
(parent_image_path == "c:\windows\system32\slui.exe") or
(parent_command_line == '"c:\windows\system32\dism.exe"*""*.xml"' and image_path != "c:\users\*\appdata\local\temp\*\dismhost.exe") or
(command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or
(parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe")
)
output possible_uac_bypass
type: pseudocode
data_model: CAR
- name: Sigma/Sysmon (Eventvwr)
description: '[Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml) rule for detecting eventvwr-based UAC bypass.'
type: Sigma
- name: Sigma/Sysmon (sdclt)
description: '[Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml) rule for detecting sdclt-based UAC bypass.'
type: Sigma
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe"))
type: LogPoint
data_mode: LogPoint native
data_model_references:
- process/create/image_path
- process/create/parent_image_path
- process/create/integrity_level
- process/create/user
- process/create/parent_command_line