Adversaries may bypass UAC by leveraging Windows Media Player’s osksupport.dll to execute payloads without elevation, indicating potential privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistence and elevation tactics early.
Detection Rule
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName startswith "C:\\Users\\" and TargetFileName endswith "\\AppData\\Local\\Temp\\OskSupport.dll") or (TargetFilePath =~ "C:\\Windows\\system32\\DllHost.exe" and TargetFileName =~ "C:\\Program Files\\Windows Media Player\\osk.exe")Scenario: Scheduled Job to Play Media File
Description: A scheduled task is configured to play a media file using Windows Media Player, which may trigger the rule due to the use of osksupport.dll.
Filter/Exclusion: Exclude processes initiated by scheduled tasks using the Task Scheduler service or filter by the presence of a .wmv or .mp4 file in the command line.
Scenario: System Maintenance Tool Using Windows Media Player
Description: A legitimate system maintenance tool (e.g., Microsoft System File Checker or DISM) may use Windows Media Player internally during repair processes.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe or explorer.exe, and filter by the presence of known system repair tools in the command line.
Scenario: User Playing a Video via Windows Media Player
Description: A user is playing a video file using Windows Media Player, which may trigger the rule due to the use of osksupport.dll.
Filter/Exclusion: Exclude processes where the user is a regular user and the file being played is a known media file (e.g., .mp4, .wmv) and not a suspicious executable.
Scenario: Administrative Task to Test UAC Bypass
Description: An admin is testing UAC bypass techniques as part of a security assessment, using a known method involving Windows Media Player.
Filter/Exclusion: Exclude processes where the user has administrative privileges and the command line includes terms like test, assessment, or security.
Scenario: Enterprise Software Using Windows Media Player for Media Playback
Description: An enterprise application (e.g., a training platform or internal portal) uses Windows Media Player to play instructional videos, which may trigger the rule.
Filter/Exclusion: Exclude processes