Bypass UAC via CompMgmtLauncher

Identifies use of CompMgmtLauncher.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

id:7efc7afe-8396-4bf0-ac7d-1a860a401d22 categories:detect confidence:medium os:windows created:12/04/2019 updated:12/04/2019

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation techniques:T1088 Bypass User Account Control

Query

sequence with maxspan=10s
 [registry where registry_path == "*\\mscfile\\shell\\open\\command*" and user_name != "SYSTEM"]
 [process where subtype.create and parent_process_path == "C:\\Windows\\System32\\CompMgmtLauncher.exe"]

Contributors

• Daniel Stepanic

References

• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
• https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql