heroui logo

SLUI RunAs Elevated

Splunk Security Content

View Source
Summary
This analytic rule detects instances where the Microsoft Software Licensing User Interface Tool (`slui.exe`) is executed with elevated privileges using the `-verb runas` function. Such activity is monitored through Endpoint Detection and Response (EDR) agent logs, focusing on key registry entries and command-line parameters related to process execution. Elevated executions of `slui.exe` can signify a privilege escalation attempt, which may allow attackers to gain higher-level access to systems, potentially leading to unauthorized changes or data exfiltration. The detection rule processes logs from Sysmon and Windows Event Log Security to identify when `slui.exe` is run with elevated rights, thereby enabling proactive defense measures against misuse of privilege escalation techniques.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Windows Registry
  • Windows Registry
ATT&CK Techniques
  • T1548.002
  • T1548
Created: 2024-12-10