Adversaries may bypass UAC by exploiting a path parsing vulnerability in winsat.exe to execute payloads with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential UAC bypass attempts and mitigate lateral movement or persistence risks.
Detection Rule
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith:
- '\AppData\Local\Temp\system32\winsat.exe'
- '\AppData\Local\Temp\system32\winmm.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Users\\" and (TargetFileName endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or TargetFileName endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll")Scenario: Scheduled System Performance Test via Winsat.exe
Description: A legitimate scheduled task runs winsat.exe to perform a system performance test, which may trigger the rule due to path parsing.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "winsat.exe -run"
Scenario: Admin Task Using Winsat for Diagnostic Purposes
Description: An administrator manually runs winsat.exe with elevated privileges to test system performance, which may be flagged as UAC bypass.
Filter/Exclusion: process.user == "Administrator" and process.command_line contains "winsat.exe -run"
Scenario: PowerShell Script Invoking Winsat.exe
Description: A PowerShell script or tool like PowerShell.exe or ps1 files may invoke winsat.exe with path manipulation, triggering the rule.
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "winsat.exe"
Scenario: Group Policy or Task Scheduler Using Winsat.exe
Description: A Group Policy or Task Scheduler job may execute winsat.exe as part of system maintenance, which could be misinterpreted as a UAC bypass.
Filter/Exclusion: process.parent_process_name == "taskhost.exe" or process.parent_process_name == "gpresult.exe"
Scenario: Third-Party Tool Using Winsat.exe for System Checks
Description: A legitimate third-party tool (e.g., system diagnostics or monitoring software) may use winsat.exe to gather system metrics, leading to false positives.
Filter/Exclusion: process.parent_process_name contains "Sysinternals" or "Process Monitor" or `process.command_line contains “winsat.exe -run