Adversaries may be bypassing User Account Control by creating a file associated with the IDiagnostic profile to execute elevated code without prompting. SOC teams should proactively hunt for this behavior in Azure Sentinel as it indicates potential privilege escalation and evasion of standard security controls.
Detection Rule
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
- attack.execution
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\DllHost.exe'
TargetFilename|startswith: 'C:\Windows\System32\'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\DllHost.exe" and TargetFileName startswith "C:\\Windows\\System32\\" and TargetFileName endswith ".dll"Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that creates a temporary file in the system directory as part of routine maintenance.
Filter/Exclusion: file.path != "C:\Windows\Temp\*" or file.name != "maintenance_temp_file.txt"
Scenario: Windows Update Installer
Description: The Windows Update installer creates temporary files in system directories during the update process.
Filter/Exclusion: file.path != "C:\Windows\Temp\*" or file.name != "WindowsUpdate.log"
Scenario: Admin Performing File-Based Configuration
Description: An administrator creates a configuration file using a text editor (e.g., Notepad) to modify system settings.
Filter/Exclusion: process.name != "notepad.exe" or file.name != "config_settings.txt"
Scenario: PowerShell Script for Log Analysis
Description: A PowerShell script runs as part of log analysis, generating a temporary file to store intermediate results.
Filter/Exclusion: process.name != "powershell.exe" or file.name != "log_analysis_temp.txt"
Scenario: Antivirus Quarantine File Creation
Description: Antivirus software creates a quarantine file to isolate a potentially malicious file for analysis.
Filter/Exclusion: file.path != "C:\ProgramData\Microsoft\Windows Defender\Quarantine\*" or process.name != "MsMpEng.exe"