An adversary is bypassing UAC by leveraging an NTFS reparse point to hijack wusa.exe, allowing execution of malicious code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential UAC bypass attacks that could lead to persistent, high-impact compromises.
Detection Rule
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Users\\" and TargetFileName endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL"Scenario: Scheduled Task Running wusa.exe for Windows Update
Description: A legitimate scheduled task may run wusa.exe to install updates, which could trigger the rule due to the presence of wusa.exe in the command line.
Filter/Exclusion: Check the command line arguments for wusa.exe and filter out instances where the update file path matches known Windows update locations (e.g., C:\Windows\SoftwareDistribution\).
Scenario: Admin Performing DLL Hijacking for Compatibility Testing
Description: An administrator may intentionally use DLL hijacking techniques (e.g., using UACMe or PsExec) to test application compatibility or bypass UAC in a controlled environment.
Filter/Exclusion: Exclude processes initiated by users with administrative privileges or those running from known test directories (e.g., C:\Temp\, C:\Tools\).
Scenario: System File Check (sfc /scannow) Triggering wusa.exe
Description: The sfc /scannow command may invoke wusa.exe as part of system file integrity checks, which could be flagged by the rule.
Filter/Exclusion: Filter events where the process is initiated by the System account or where the command line includes sfc /scannow.
Scenario: PowerShell Script Using wusa.exe for Custom Update Deployment
Description: A PowerShell script may be used to deploy custom updates or patches, invoking wusa.exe with a custom DLL path, which could be mistaken for a UAC bypass.
Filter/Exclusion: Exclude processes initiated by PowerShell scripts or where the DLL path is within a known enterprise patching directory (e.g., C:\PatchServer\).
**Scenario: Antivirus or Endpoint Protection Tool Using wusa.exe for Quar