Detectionhightest

UAC Bypass Using WOW64 Logger DLL Hijack

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christian Burkard (Nextron Systems)Created Mon Aug 23Updated Sun Oct 094f6c43e2-f989-4ea5-bcd8-843b49a0317cwindows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        SourceImage|contains: ':\Windows\SysWOW64\'
        GrantedAccess: '0x1fffff'
        CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0004 · Privilege Escalation

Sub-techniques

T1548.002 · Bypass User Account Control

Rule Metadata

Rule ID

4f6c43e2-f989-4ea5-bcd8-843b49a0317c

Status

test

Level

high

Type

Detection

Created

Mon Aug 23

Modified

Sun Oct 09

Author

Christian Burkard (Nextron Systems)

Path

rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml

Raw Tags

attack.defense-evasionattack.privilege-escalationattack.t1548.002

View on GitHub