
Summary
This rule aims to detect instances of User Account Control (UAC) bypass techniques employed through the hijacking of a 32-bit logger DLL on Windows systems, specifically targeting the Wow64 subsystem (Windows-on-Windows 64-bit) which allows 32-bit applications to run on 64-bit Windows operating systems. The detection mechanism identifies specific characteristics of the process creation patterns that are indicative of such attacks. The process must originate from the SysWOW64 directory, and it should have permissions that suggest high-level access rights (indicated by a granted access value of '0x1fffff'). This pattern aligns with certain exploitation techniques detailed in the GitHub repository UACMe, leveraged by attackers to elevate privileges unexpectedly. Given the prevalent use of UAC bypasses in privilege escalation attacks, this rule is critical for real-time monitoring and alerting in Windows environments to thwart potential threats.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2021-08-23