UAC Bypass via ICMLuaUtil Elevated COM Interface

This detection rule identifies attempts to bypass User Account Control (UAC) on Windows systems using the ICMLuaUtil Elevated COM interface. Attackers exploit this interface to execute code with elevated privileges without requiring user interaction, effectively bypassing UAC’s security mechanisms. This can lead to stealthy execution of malicious code and privilege escalation, granting attackers greater control over the compromised system. The technique is documented in tools such as UACME. The rule is designed to detect this specific bypass by monitoring process creations with specific parent-child relationships and command-line arguments associated with the ICMLuaUtil COM interface. This technique has been observed across various attack scenarios, making it a significant threat to Windows environments.

Attack Chain

1. An initial process is executed, often by the user, without elevated privileges.
2. This process initiates a COM object, specifically targeting the ICMLuaUtil interface.
3. dllhost.exe is spawned as a parent process, hosting the COM object.
4. dllhost.exe is executed with specific /Processid arguments, either {3E5FC7F9-9A51-4367-9063-A120244FBEC7} or {D2E7041B-2927-42FB-8E9F-7CE93B6DC937}, which correspond to the ICMLuaUtil interface.
5. A child process is launched by dllhost.exe, inheriting elevated privileges. This process is often a script interpreter or another executable capable of running arbitrary code.
6. The launched process executes malicious commands or code, taking advantage of the elevated privileges to perform actions such as installing malware, modifying system settings, or accessing sensitive data.
7. The attacker gains persistence through the elevated process or by creating new scheduled tasks or services.
8. The system is compromised, and the attacker has achieved privilege escalation, allowing them to perform nearly any action on the system.

Impact

Successful exploitation of this UAC bypass technique allows attackers to gain elevated privileges on compromised Windows systems. This can lead to the installation of malware, exfiltration of sensitive data, modification of system settings, and complete control over the affected system. Depending on the context of the user’s account, lateral movement may be possible to other systems.

Recommendation

• Deploy the Sigma rule “UAC Bypass via ICMLuaUtil Elevated COM Interface” to your SIEM and tune for your environment to detect potential UAC bypass attempts.
• Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly, as specified in the rule’s setup instructions.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process, child process, and command-line arguments to determine if the activity is legitimate or malicious, using the triage steps outlined in the rule’s ’note’ section.
• Consider implementing application control solutions, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of unauthorized applications, as mentioned in the post-incident hardening recommendations.
• Review and minimize local administrator group membership to reduce the attack surface for UAC bypass techniques.