Detect Bypass User Account Control in Google Chronicle
Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.002 Bypass User Account Control
- Canonical reference
- https://attack.mitre.org/techniques/T1548/002/
YARA-L Detection Query
rule uac_bypass_auto_elevate_child_spawn {
meta:
author = "Argus Detection Engineering"
description = "Detects UAC bypass via auto-elevating binary spawning unexpected child processes"
mitre_attack_technique = "T1548.002"
severity = "HIGH"
confidence = "HIGH"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.file.full_path = /(?i)(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$/
not $proc.target.process.file.full_path = /(?i)(conhost|WerFault|dwm)\.exe$/
condition:
$proc
}
rule uac_bypass_registry_hkcu {
meta:
author = "Argus Detection Engineering"
description = "Detects UAC bypass via HKCU registry modification at known bypass paths"
mitre_attack_technique = "T1548.002"
severity = "HIGH"
confidence = "HIGH"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
$reg.target.registry.registry_key = /(?i)(HKCU|HKEY_CURRENT_USER).*(ms-settings|mscfile|exefile\\shell\\runas|App\.Paths.*control\.exe)/
condition:
$reg
}
rule uac_bypass_cmstplua_com {
meta:
author = "Argus Detection Engineering"
description = "Detects CMSTPLUA COM interface abuse for UAC bypass elevation"
mitre_attack_technique = "T1548.002"
severity = "CRITICAL"
confidence = "HIGH"
events:
$com.metadata.event_type = "PROCESS_LAUNCH"
(
$com.target.process.file.full_path = /(?i)\\cmstp\.exe$/ or
(
$com.target.process.file.full_path = /(?i)\\dllhost\.exe$/ and
$com.target.process.command_line = /3E5FC7F9-9A51-4367-9063-A120244FBEC7/
)
)
condition:
$com
}
rule uac_bypass_shell_spawn {
meta:
author = "Argus Detection Engineering"
description = "Detects UAC bypass resulting in cmd or powershell spawned by known bypass binaries"
mitre_attack_technique = "T1548.002"
severity = "CRITICAL"
confidence = "HIGH"
events:
$shell.metadata.event_type = "PROCESS_LAUNCH"
$shell.target.process.file.full_path = /(?i)(powershell|cmd)\.exe$/
$shell.principal.process.file.full_path = /(?i)(eventvwr|fodhelper|sdclt)\.exe$/
condition:
$shell
}Four Chronicle YARA-L 2.0 rules covering the full UAC bypass detection surface: (1) auto-elevating binaries spawning unexpected children, (2) HKCU registry modification at known UAC bypass key paths, (3) CMSTPLUA COM elevation via cmstp.exe or dllhost.exe with CLSID, and (4) high-severity detection of cmd/PowerShell shells spawned directly from UAC bypass binaries. Uses UDM fields for process, registry, and command-line data.
Data Sources
Required Tables
False Positives & Tuning
- Windows Defender or other AV products that use elevated COM objects (dllhost.exe with elevated CLSID) for quarantine or remediation operations triggered from system processes
- Enterprise GPO-based configurations that write to Software\Classes registry hives including ms-settings paths when applying policy during domain-joined workstation startup
- Sysinternals or IT tooling (e.g., Autoruns, Process Monitor) that enumerate or touch runas shell handler registry keys as part of system inspection
Other platforms for T1548.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1UAC Bypass via eventvwr.exe (Registry Hijacking)
Expected signal: Sysmon EventCode 13: RegistryValueSet at HKCU\Software\Classes\mscfile\shell\open\command. Sysmon EventCode 1: eventvwr.exe process, followed by calc.exe (or cmd.exe) spawned with High integrity level. Security Event 4688 for calc.exe with high integrity.
- Test 2UAC Bypass via fodhelper.exe (ms-settings)
Expected signal: Sysmon EventCode 12/13: HKCU\Software\Classes\ms-settings\shell\open\command created with cmd.exe value. Sysmon EventCode 1: fodhelper.exe spawning cmd.exe with High integrity level.
- Test 3Check UAC Configuration and Current Integrity Level
Expected signal: Sysmon EventCode 1: reg.exe and whoami.exe process creation.
References (6)
- https://attack.mitre.org/techniques/T1548/002/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1548.002 including response playbook, investigation guide, and atomic red team tests.