← Back to SOC feed Coverage →

UAC Bypass Using IEInstal - Process

sigma HIGH SigmaHQ
T1548.002
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T03:15:01Z · Confidence: medium

Hunt Hypothesis

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Detection Rule

Sigma (Original)

title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\ieinstal.exe'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (ParentProcessName endswith "\\ieinstal.exe" or ActingProcessName endswith "\\ieinstal.exe") and TargetProcessName contains "\\AppData\\Local\\Temp\\" and TargetProcessName endswith "consent.exe"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml