Adversaries may use UACElevator.exe to bypass User Account Control and execute privileged code without proper authorization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential elevation of privilege attacks and mitigate lateral movement risks.
YARA Rule
rule UACElevator {
meta:
description = "UACElevator bypassing UAC - file UACElevator.exe"
author = "Florian Roth"
reference = "https://github.com/MalwareTech/UACElevator"
date = "2015-05-14"
hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
strings:
$x1 = "\\UACElevator.pdb" ascii
$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
$s3 = "Infection module: %s" fullword ascii
$s4 = "Could not save module to %s" fullword ascii
$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
$s7 = "Stack around the variable '" fullword ascii
$s8 = "MSVCR120D.dll" fullword wide
$s9 = "Address: 0x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 172KB and
( $x1 or 8 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Legitimate use of UACElevator.exe by a system administrator for testing UAC bypass techniques
Filter/Exclusion: Check for the presence of a known admin tool or script (e.g., PsExec, PowerShell with -Command parameter) in the command line context.
Example Filter: process.parent_process_name != "cmd.exe" OR process.parent_process_name != "powershell.exe"
Scenario: Scheduled job running UACElevator.exe as part of a maintenance task
Filter/Exclusion: Check if the process is initiated by a scheduled task (Task Scheduler).
Example Filter: process.parent_process_name != "schtasks.exe"
Scenario: UACElevator.exe used in a penetration testing lab environment
Filter/Exclusion: Check for the presence of a known penetration testing tool or environment (e.g., Metasploit, Kali Linux, VirtualBox).
Example Filter: process.parent_process_name != "msfconsole.exe" OR process.parent_process_name != "virtualbox.exe"
Scenario: User manually runs UACElevator.exe to test UAC behavior without administrative intent
Filter/Exclusion: Check for user context (e.g., non-admin user) or presence of a known test script.
Example Filter: user.rights != "Administrators" OR process.command_line_contains("test")
Scenario: UACElevator.exe is part of a legitimate software package or tool used for system diagnostics
Filter/Exclusion: Check for the presence of a known diagnostic tool or software (e.g., Sysinternals tools, Process Explorer).
Example Filter: process.parent_process_name != "procexp.exe" OR process.parent_process_name != "handle.exe"