Bypass UAC via CompMgmtLauncher¶
Identifies use of CompMgmtLauncher.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
id: | 7efc7afe-8396-4bf0-ac7d-1a860a401d22 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 12/04/2019 |
updated: | 12/04/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Privilege Escalation |
---|---|
techniques: | T1088 Bypass User Account Control |
Query¶
sequence with maxspan=10s
[registry where registry_path == "*\\mscfile\\shell\\open\\command*" and user_name != "SYSTEM"]
[process where subtype.create and parent_process_path == "C:\\Windows\\System32\\CompMgmtLauncher.exe"]