Adversaries may bypass UAC by leveraging a .NET Code Profiler to hijack mmc.exe, allowing execution of malicious code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential UAC bypass attempts and prevent lateral movement or persistence in compromised environments.
Detection Rule
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Users\\" and TargetFileName endswith "\\AppData\\Local\\Temp\\pe386.dll"Scenario: Legitimate Use of MMC for Administrative Tasks
Description: An administrator uses MMC (Microsoft Management Console) to manage services or configure system settings, which may involve loading .NET assemblies.
Filter/Exclusion: Check for the presence of known legitimate MMC snap-ins (e.g., servmgmt.msc, eventvwr.msc) and exclude processes initiated by a known admin account with elevated privileges.
Scenario: Scheduled Job Running .NET Code Profiler
Description: A scheduled task is configured to run a .NET application that uses a code profiler for performance monitoring, which may trigger the rule due to DLL hijacking behavior.
Filter/Exclusion: Exclude processes launched by scheduled tasks with a known legitimate command line and verify the use of a trusted code profiler tool (e.g., JetBrains dotTrace, RedGate Profiler).
Scenario: .NET Profiler for Debugging Purposes
Description: A developer is using a .NET profiler (e.g., Visual Studio Profiler, ANTS Profiler) to debug an application, which may inadvertently trigger the rule due to similar execution patterns.
Filter/Exclusion: Exclude processes associated with development tools and check for the presence of known debugging or profiling tools in the process command line.
Scenario: System Update or Patching Process
Description: A system update or patching tool (e.g., Windows Update, SCCM) may load .NET assemblies or use MMC for configuration, leading to false positives.
Filter/Exclusion: Exclude processes initiated by known patching or update tools, and check for the presence of system update-related command lines or service names.
Scenario: Third-Party Management Console Integration
Description: A third-party management console (e.g., Microsoft System Center, BMC Remedy) may use MMC and .NET assemblies for integration,