Adversaries may bypass UAC by modifying the token through MSConfig, allowing execution of payloads without elevation prompts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate advanced persistence techniques.
Detection Rule
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Users\\" and TargetFileName endswith "\\AppData\\Local\\Temp\\pkgmgr.exe"Scenario: Legitimate System Configuration via MSConfig
Description: An administrator uses the msconfig tool (via msconfig.exe) to modify boot settings or services as part of routine system configuration.
Filter/Exclusion: process.name != "msconfig.exe" OR process.parent.name != "explorer.exe" OR process.user != "Administrator"
Scenario: Scheduled Task with UAC Bypass Intent
Description: A scheduled task is configured to run with elevated privileges using a token modification technique, mimicking the behavior of the UACMe exploit.
Filter/Exclusion: process.name != "schtasks.exe" OR process.parent.name != "services.exe" OR process.user != "SYSTEM"
Scenario: Admin User Performing Token Manipulation for Debugging
Description: A system administrator uses a legitimate tool like PsExec or PSTools to run a process with elevated privileges for debugging or troubleshooting.
Filter/Exclusion: process.name != "psexec.exe" OR process.parent.name != "cmd.exe" OR process.user != "Administrator"
Scenario: Software Deployment with Elevated Privileges
Description: A deployment tool such as Chocolatey or PowerShell is used to install software with elevated privileges, which may trigger similar behavior to the UACMe exploit.
Filter/Exclusion: process.name != "choco.exe" OR process.name != "powershell.exe" OR process.user != "Administrator"
Scenario: Malicious Tool Mimicking Legitimate Behavior
Description: A legitimate tool like Process Explorer or Process Monitor is used in a way that resembles the UACMe exploit, such as modifying token settings.
Filter/Exclusion: `process.name != “procexp.exe