UAC Bypass Abusing Winsat Path Parsing - Registry

Hunt Hypothesis

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Detection Rule

Sigma (Original)

title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
        TargetObject|endswith: '\LowerCaseLongPath'
        Details|startswith: 'c:\users\'
        Details|endswith: '\appdata\local\temp\system32\winsat.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" and RegistryValueData startswith "c:\\users\\" and RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" and RegistryValueData startswith "c:\\users\\" and RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe"

Required Data Sources

Sentinel Table	Notes
`imRegistry`	Ensure this data connector is enabled

UAC Bypass Abusing Winsat Path Parsing - Registry

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

KQL (Microsoft 365 Defender)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References