
Summary
This detection rule aims to identify attempts at bypassing User Account Control (UAC) using a known method involving the MSConfig graphical user interface, specifically leveraging the executable `pkgmgr.exe` found in the temporary files of Windows users. The technique, referenced as UACMe 55, exploits the ability to modify the token of a process which may allow unauthorized privilege escalation. This rule focuses on file events where the target file's path starts with `C:\Users\` and ends with `\AppData\Local\Temp\pkgmgr.exe`, indicating suspicious activity related to user files and ephemeral executable file usage. By monitoring such patterns, security teams can detect potential misuse of the system to gain escalated privileges without proper authorization.
Categories
- Windows
- Endpoint
Data Sources
- File
Created: 2021-08-30