SLUI RunAs Elevated Privilege Escalation

This analytic detects the execution of the Microsoft Software Licensing User Interface Tool (slui.exe) with elevated privileges using the -verb runas function. This activity is identified through logs from Endpoint Detection and Response (EDR) agents, focusing on specific registry keys and command-line parameters. The behavior is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to gain elevated access and execute malicious actions with higher privileges. The technique abuses a built-in Windows utility to bypass User Account Control (UAC) and execute commands with elevated privileges. This can be used as part of a larger attack chain to gain persistence or deploy malware.

Attack Chain

1. An attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.
2. The attacker executes slui.exe with the -verb runas parameter.
3. The command bypasses UAC due to the trusted nature of slui.exe.
4. This elevated process allows the execution of arbitrary commands or scripts with administrative privileges.
5. The attacker leverages the elevated privileges to install malicious software or modify system settings.
6. The attacker establishes persistence by creating a scheduled task or modifying registry keys.
7. The attacker uses the compromised system as a pivot point to access other systems on the network.
8. The attacker exfiltrates sensitive data or deploys ransomware.

Impact

Successful exploitation can lead to complete system compromise, allowing attackers to install malware, steal sensitive information, or disrupt business operations. An attacker achieving privilege escalation can bypass security controls and gain unauthorized access to critical resources. This may lead to data breaches, financial loss, and reputational damage. Depending on the attacker’s objectives, the compromised system can be used to further compromise the internal network, leading to a wider scale incident.

Recommendation

• Deploy the Sigma rule Detect SLUI RunAs Elevated to your SIEM to identify instances of slui.exe being executed with the -verb runas parameter.
• Monitor process execution logs for instances of slui.exe being launched with suspicious command-line arguments to catch potential privilege escalation attempts.
• Implement application control policies to restrict the execution of unauthorized or potentially malicious software.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process and any subsequent actions taken by the elevated slui.exe process.
• Review and harden UAC settings to prevent unauthorized elevation of privileges.
• Refer to the provided references for more information on this UAC bypass technique.