heroui logo

UAC Bypass Using NTFS Reparse Point - Process

Sigma Rules

View Source
Summary
This detection rule identifies attempts to bypass User Account Control (UAC) on Windows systems through the use of NTFS reparse points and dynamic link library (DLL) hijacking targeting the 'wusa.exe' executable. Specifically, it checks for command lines associated with the execution of 'wusa.exe' where the command begins with 'C:\Windows\system32\wusa.exe' followed by parameters indicating a quiet update installation from a temporary directory. Additionally, it identifies suspicious commands executed by 'dism.exe', particularly those that try to add packages while manipulating the integrity level, indicating potential privilege escalation tactics often employed by malware. This rule aims to help security teams detect and respond to methods used by attackers to execute unauthorized code with elevated privileges by exploiting legitimate system processes and configurations.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2021-08-30