heroui logo

Suspicious ComputerDefaults.exe Execution

Anvilogic Forge

View Source
Summary
This detection rule targets suspicious executions of the legitimate Windows executable ComputerDefaults.exe, which manages the Default Programs feature in Windows. While this executable is typically benign, threat actors can manipulate it through the registry to execute arbitrary commands, potentially leading to User Account Control (UAC) bypass. The rule specifically identifies executions of ComputerDefaults.exe that occur at high or system integrity levels but are not initiated from the standard directories like C:\Windows\System32 or Program Files. By monitoring for these non-standard execution paths, the rule effectively helps in detecting malicious activities leveraging this binary. The matching logic uses Splunk queries with event ID 4688 focused on process creation events to flag any anomalous behavior, with parent process checks ensuring that only unexpected execution contexts are flagged. This rule is aligned with the Living Off the Land Binaries and Scripts (LOLBAS) methodology and can catch abuse of elevation control mechanisms via UAC bypass techniques.
Categories
  • Windows
Data Sources
  • Process
  • Windows Registry
ATT&CK Techniques
  • T1548.002
Created: 2024-02-09