UAC Bypass Using Windows Media Player - Process

Hunt Hypothesis

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Detection Rule

Sigma (Original)

title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_1:
        Image: 'C:\Program Files\Windows Media Player\osk.exe'
    selection_img_2:
        Image: 'C:\Windows\System32\cmd.exe'
        ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
    selection_integrity:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: 1 of selection_img_* and selection_integrity
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName =~ "C:\\Program Files\\Windows Media Player\\osk.exe" or (TargetProcessName =~ "C:\\Windows\\System32\\cmd.exe" and ActingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")) and (TargetProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Technique: T1548.002 — T1548.002

References

• https://github.com/hfiref0x/UACME
• SigmaHQ Rule