Skip to content
Threat Feed
high advisory

Windows ComputerDefaults Process Spawning Detection

The ComputerDefaults.exe process, used for managing default application associations in Windows, can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges, which is detected by monitoring abnormal parent-child process relationships.

The Windows ComputerDefaults.exe process is a legitimate system utility designed to manage default application associations. However, attackers can abuse this process to bypass User Account Control (UAC) and execute malicious code with elevated privileges. This technique involves spawning unauthorized processes from ComputerDefaults.exe, potentially leading to privilege escalation and system compromise. Defenders should monitor for unusual parent-child process relationships, deviations from standard paths, and other anomalous execution patterns involving ComputerDefaults.exe. This activity is linked to exploitation attempts related to the Castle RAT and BlankGrabber Stealer malware families.

Attack Chain

  1. The attacker gains initial access to the system through a separate vector (e.g., phishing, exploit).
  2. Malicious code is executed, potentially dropped to disk or run directly in memory.
  3. The attacker leverages ComputerDefaults.exe to bypass UAC.
  4. ComputerDefaults.exe is executed, spawning a child process. This child process is the malicious payload.
  5. The spawned process executes with elevated privileges, inherited from ComputerDefaults.exe.
  6. The malicious process performs its intended actions, such as installing malware, modifying system settings, or establishing persistence.
  7. Data exfiltration, lateral movement, or other malicious activities may follow, depending on the attacker's objectives.

Impact

Successful exploitation of ComputerDefaults.exe can lead to privilege escalation, allowing attackers to gain elevated access to the compromised system. This can result in the installation of malware, modification of system settings, data theft, and potentially complete system compromise. The attack is often used to bypass UAC controls and execute malicious scripts undetected, making it harder for traditional security measures to identify and prevent the attack. This is used by malware such as Castle RAT and BlankGrabber Stealer.

Recommendation

  • Implement the Sigma rule Detect Suspicious ComputerDefaults Child Processes to identify abnormal process creation events with ComputerDefaults.exe as the parent process.
  • Enable Sysmon process creation logging (Event ID 1) to capture the necessary data for the Sigma rules.
  • Investigate any alerts generated by the Sigma rules, focusing on the spawned process and its subsequent activity.
  • Monitor parent-child process relationships involving ComputerDefaults.exe for deviations from expected behavior.

Detection coverage 2

Detect Suspicious ComputerDefaults Child Processes

high

Detects the spawning of unusual child processes from ComputerDefaults.exe, indicating a potential UAC bypass attempt.

sigma tactics: defense_evasion, privilege_escalation techniques: T1548.002 sources: process_creation, windows

Detect ComputerDefaults with Suspicious CommandLine

medium

Detects ComputerDefaults.exe being executed with command line arguments indicative of abuse.

sigma tactics: defense_evasion, privilege_escalation techniques: T1548.002 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →