Adversaries may bypass UAC by executing IEInstal.exe, a known technique used in UACMe 64 payloads, to gain elevated privileges without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate advanced persistent threats.
Detection Rule
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and TargetFileName startswith "C:\\Users\\" and TargetFileName contains "\\AppData\\Local\\Temp\\" and TargetFileName endswith "consent.exe"Scenario: Scheduled Task for System Maintenance
Description: A legitimate scheduled task runs IEInstal.exe as part of a system cleanup or update process.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or where the parent process is a known system maintenance tool (e.g., task scheduler or Windows Update).
Scenario: Admin Deployment of IEInstal.exe for Compatibility Testing
Description: An administrator uses IEInstal.exe to test compatibility of legacy applications that require elevated privileges.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes flags like /test or /compatibility.
Scenario: Group Policy Update via Remote Server
Description: A Group Policy update is deployed remotely, which includes running IEInstal.exe to apply settings.
Filter/Exclusion: Exclude processes where the parent process is gpupdate.exe or GroupPolicy and the execution is initiated from a trusted management server.
Scenario: Software Installation via MSI Package
Description: A software installation package (e.g., from Microsoft or a trusted vendor) uses IEInstal.exe as part of its deployment process.
Filter/Exclusion: Exclude processes where the command line includes MSI package paths or where the parent process is msiexec.exe.
Scenario: PowerShell Script for UAC Bypass in Scripting Context
Description: A PowerShell script is used to bypass UAC for administrative tasks, and it invokes IEInstal.exe as part of the process.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script is signed by a trusted certificate or located in a known script directory (e.g., C:\Windows\System32\).