Adversaries may bypass UAC by leveraging consent.exe and comctl32.dll to execute payloads without elevation, indicating potential privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistence and elevation tactics early.
Detection Rule
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Windows\\System32\\consent.exe.@" and TargetFileName endswith "\\comctl32.dll"Scenario: Scheduled Task Running as Standard User
Description: A legitimate scheduled task configured to run under a standard user account may trigger the rule when it attempts to load comctl32.dll or interact with consent.exe during execution.
Filter/Exclusion: Check the SubjectUserName field to exclude tasks running under non-administrative accounts. Example filter: SubjectUserName != "Administrator"
Scenario: Microsoft Update or Windows Defender Scan
Description: During a system scan or update, Windows may load comctl32.dll and interact with consent.exe as part of its integrity checks or security updates.
Filter/Exclusion: Filter by ImageLoadedName to exclude known system processes like svchost.exe or MsMpEng.exe. Example filter: ImageLoadedName != "comctl32.dll"
Scenario: User Running Consent.exe for UAC Prompt
Description: A user may manually run consent.exe to trigger a UAC prompt for a legitimate administrative task, such as installing a software update or configuring a system setting.
Filter/Exclusion: Check the CommandLine field to identify known legitimate use cases, such as consent.exe -p or consent.exe -u. Example filter: CommandLine contains " -p" or " -u"
Scenario: Admin Approval Prompt for File Access
Description: When a user or application requests elevated privileges to access a protected file or registry key, the system may invoke consent.exe and load comctl32.dll as part of the UAC prompt process.
Filter/Exclusion: Filter by ProcessName to exclude known system processes like explorer.exe or taskmgr.exe. Example filter: ProcessName != "explorer.exe"