
Summary
This rule detects attempts to bypass User Account Control (UAC) on Windows systems through the use of NTFS reparse points and DLL hijacking techniques. Specifically, it is geared towards identifying the modification of the DLL file `api-ms-win-core-kernel32-legacy-l1.DLL`, which is often associated with the UAC bypass technique referenced by UACMe 36. The detection relies on monitoring file event logs for the creation or modification of this specific DLL within the user's temporary files directory, given that UAC bypass techniques are frequently employed in privilege escalation attacks. The high severity level of this detection reflects the critical nature of UAC bypass exploits in compromising Windows security models. Effectively, this rule can aid in the identification of potential lateral movements or privilege escalation attempts by an attacker who has already gained access to a user account, enabling them to execute malicious payloads with elevated privileges.
Categories
- Windows
- Endpoint
Data Sources
- File
Created: 2021-08-30