|
| 1 | +name: UAC bypass via assembly Native Image Cache hijack |
| 2 | +id: d10685d9-675c-4888-a246-85758e4c4515 |
| 3 | +version: 1.0.0 |
| 4 | +description: | |
| 5 | + Detects attempts to bypass User Account Control (UAC) by hijacking the |
| 6 | + .NET Native Image Cache (NativeImages) through unauthorized DLL creation |
| 7 | + followed by execution in a high-integrity process, a technique commonly |
| 8 | + abused to achieve local privilege escalation. |
| 9 | +labels: |
| 10 | + tactic.id: TA0004 |
| 11 | + tactic.name: Privilege Escalation |
| 12 | + tactic.ref: https://attack.mitre.org/tactics/TA0004/ |
| 13 | + technique.id: T1548 |
| 14 | + technique.name: Abuse Elevation Control Mechanism |
| 15 | + technique.ref: https://attack.mitre.org/techniques/T1548/ |
| 16 | + subtechnique.id: T1548.002 |
| 17 | + subtechnique.name: Bypass User Account Control |
| 18 | + subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/ |
| 19 | +references: |
| 20 | + - https://github.com/hfiref0x/UACME |
| 21 | + |
| 22 | +condition: > |
| 23 | + sequence |
| 24 | + maxspan 1m |
| 25 | + |create_file and |
| 26 | + evt.pid != 4 and ps.sid != 'S-1-5-18' and |
| 27 | + file.path imatches '?:\\WINDOWS\\assembly\\NativeImages_*\\*.dll' and |
| 28 | + ps.exe not imatches |
| 29 | + ( |
| 30 | + '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe', |
| 31 | + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe', |
| 32 | + '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe', |
| 33 | + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', |
| 34 | + '?:\\Windows\\servicing\\TrustedInstaller.exe' |
| 35 | + ) |
| 36 | + | as e1 |
| 37 | + |spawn_process and |
| 38 | + ps.token.integrity_level = 'HIGH' and |
| 39 | + thread.callstack.summary imatches concat('ntdll.dll|KernelBase.dll|*', $e1.file.name, '|*') |
| 40 | + | |
| 41 | +
|
| 42 | +severity: high |
| 43 | + |
| 44 | +min-engine-version: 3.0.0 |
0 commit comments