Bypass UAC via CompMgmtLauncher

Identifies use of CompMgmtLauncher.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

id:7efc7afe-8396-4bf0-ac7d-1a860a401d22
categories:detect
confidence:medium
os:windows
created:12/04/2019
updated:12/04/2019

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation
techniques:T1088 Bypass User Account Control

Query

sequence with maxspan=10s
 [registry where registry_path == "*\\mscfile\\shell\\open\\command*" and user_name != "SYSTEM"]
 [process where subtype.create and parent_process_path == "C:\\Windows\\System32\\CompMgmtLauncher.exe"]

Contributors