Windows ComputerDefaults Process Spawning Detection
The ComputerDefaults.exe process, used for managing default application associations in Windows, can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges, which is detected by monitoring abnormal parent-child process relationships.
The Windows ComputerDefaults.exe process is a legitimate system utility designed to manage default application associations. However, attackers can abuse this process to bypass User Account Control (UAC) and execute malicious code with elevated privileges. This technique involves spawning unauthorized processes from ComputerDefaults.exe, potentially leading to privilege escalation and system compromise. Defenders should monitor for unusual parent-child process relationships, deviations from standard paths, and other anomalous execution patterns involving ComputerDefaults.exe. This activity is linked to exploitation attempts related to the Castle RAT and BlankGrabber Stealer malware families.
Attack Chain
- The attacker gains initial access to the system through a separate vector (e.g., phishing, exploit).
- Malicious code is executed, potentially dropped to disk or run directly in memory.
- The attacker leverages
ComputerDefaults.exeto bypass UAC. ComputerDefaults.exeis executed, spawning a child process. This child process is the malicious payload.- The spawned process executes with elevated privileges, inherited from
ComputerDefaults.exe. - The malicious process performs its intended actions, such as installing malware, modifying system settings, or establishing persistence.
- Data exfiltration, lateral movement, or other malicious activities may follow, depending on the attacker's objectives.
Impact
Successful exploitation of ComputerDefaults.exe can lead to privilege escalation, allowing attackers to gain elevated access to the compromised system. This can result in the installation of malware, modification of system settings, data theft, and potentially complete system compromise. The attack is often used to bypass UAC controls and execute malicious scripts undetected, making it harder for traditional security measures to identify and prevent the attack. This is used by malware such as Castle RAT and BlankGrabber Stealer.
Recommendation
- Implement the Sigma rule
Detect Suspicious ComputerDefaults Child Processesto identify abnormal process creation events withComputerDefaults.exeas the parent process. - Enable Sysmon process creation logging (Event ID 1) to capture the necessary data for the Sigma rules.
- Investigate any alerts generated by the Sigma rules, focusing on the spawned process and its subsequent activity.
- Monitor parent-child process relationships involving
ComputerDefaults.exefor deviations from expected behavior.
Detection coverage 2
Detect Suspicious ComputerDefaults Child Processes
highDetects the spawning of unusual child processes from ComputerDefaults.exe, indicating a potential UAC bypass attempt.
Detect ComputerDefaults with Suspicious CommandLine
mediumDetects ComputerDefaults.exe being executed with command line arguments indicative of abuse.
Detection queries are available on the platform. Get full rules →