Attack Chain

1. The attacker gains initial access to the system, possibly through phishing or other means.
2. The attacker drops a malicious executable into a temporary directory, such as C:\Users\<user>\AppData\Local\Temp\IDC*.tmp\.
3. The attacker invokes ieinstal.exe with the -Embedding argument, specifying the path to the malicious executable.
4. ieinstal.exe, running with elevated privileges, launches the malicious executable due to COM object handling.
5. The malicious executable executes with elevated privileges, bypassing UAC prompts.
6. The attacker leverages elevated privileges to perform malicious activities, such as installing malware or modifying system settings.
7. The attacker establishes persistence to maintain elevated access across system reboots.

Impact

Successful exploitation of this UAC bypass technique allows attackers to execute arbitrary code with elevated privileges, bypassing security controls designed to prevent unauthorized system modifications. This can lead to the installation of malware, data theft, or complete system compromise. The severity of the impact is high, as it grants attackers significant control over the affected system.

Recommendation

• Deploy the Sigma rule “UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer” to your SIEM to detect potential UAC bypass attempts.
• Enable Sysmon process creation logging to capture the necessary events for the Sigma rule to function correctly.
• Monitor process execution from temporary directories, specifically those matching the pattern C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe.
• Investigate any instances of ieinstal.exe being executed with the -Embedding argument, as this is a key indicator of the UAC bypass attempt.
• Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.