Detect Bypass User Account Control in Microsoft Sentinel
Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.002 Bypass User Account Control
- Canonical reference
- https://attack.mitre.org/techniques/T1548/002/
KQL Detection Query
// T1548.002 — UAC Bypass detection
// Multiple sub-techniques: eventvwr, fodhelper, sdclt, CMSTPLUA, DLL hijacking
let UACBypassBinaries = dynamic([
"eventvwr.exe", "fodhelper.exe", "sdclt.exe", "cmstp.exe",
"migwiz.exe", "wsreset.exe", "computerdefaults.exe",
"slui.exe", "pkgmgr.exe", "sysprep.exe", "osk.exe",
"msconfig.exe", "mmc.exe", "eudcedit.exe", "charmap.exe",
"colorcpl.exe", "windowsanytimeupgrade.exe"
]);
// Part 1: Detect auto-elevating binaries spawning unexpected child processes
let UACBypassSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (UACBypassBinaries)
| where FileName !in~ ("conhost.exe", "WerFault.exe", "dwm.exe")
| where ProcessTokenElevationType =~ "TokenElevationTypeDefault"
or InitiatingProcessTokenElevationType =~ "TokenElevationTypeDefault"
| extend DetectionType = "UAC_Auto_Elevate_Bypass"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect registry modifications at known UAC bypass paths
let UACBypassReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
"ms-settings",
"mscfile",
"Classes\\exefile\\shell\\runas",
"Software\\Classes\\ms-settings",
"Software\\Classes\\mscfile",
"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe"
)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionType = "UAC_Bypass_Registry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect CMSTPLUA COM elevation pattern
let UACBypassCOM = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "cmstp.exe"
or (InitiatingProcessFileName =~ "dllhost.exe" and
InitiatingProcessCommandLine has "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
| extend DetectionType = "UAC_CMSTPLUA_COM"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union UACBypassSpawn, UACBypassReg, UACBypassCOM
| sort by Timestamp descThree-part UAC bypass detection. Part 1 detects auto-elevating Windows binaries (eventvwr.exe, fodhelper.exe, sdclt.exe, etc.) spawning unexpected child processes — the result of process injection or registry hijacking UAC bypass. Part 2 monitors HKCU registry paths used by common UAC bypass techniques (ms-settings, mscfile, exefile/runas). Part 3 detects CMSTPLUA COM interface abuse. All three cover different bypass methods with near-zero false positives.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative tools that invoke auto-elevating binaries (some vendor software uses eventvwr.exe legitimately)
- IT management software that uses CMSTP/COM elevation for authorized software deployment
- Pentest tools performing authorized UAC bypass testing on test endpoints
- Application compatibility shims that may trigger auto-elevation paths
Other platforms for T1548.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1UAC Bypass via eventvwr.exe (Registry Hijacking)
Expected signal: Sysmon EventCode 13: RegistryValueSet at HKCU\Software\Classes\mscfile\shell\open\command. Sysmon EventCode 1: eventvwr.exe process, followed by calc.exe (or cmd.exe) spawned with High integrity level. Security Event 4688 for calc.exe with high integrity.
- Test 2UAC Bypass via fodhelper.exe (ms-settings)
Expected signal: Sysmon EventCode 12/13: HKCU\Software\Classes\ms-settings\shell\open\command created with cmd.exe value. Sysmon EventCode 1: fodhelper.exe spawning cmd.exe with High integrity level.
- Test 3Check UAC Configuration and Current Integrity Level
Expected signal: Sysmon EventCode 1: reg.exe and whoami.exe process creation.
References (6)
- https://attack.mitre.org/techniques/T1548/002/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1548.002 including response playbook, investigation guide, and atomic red team tests.