-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathuac.json
More file actions
455 lines (455 loc) · 23.8 KB
/
Copy pathuac.json
File metadata and controls
455 lines (455 loc) · 23.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
{
"dataset": {
"name": "EID Quick Reference - User Account Control",
"version": "1.2.0",
"generatedAt": "2026-05-10T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/uac.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 4,
"log": "UAC",
"provider": "Microsoft-Windows-UAC",
"channel": "Microsoft-Windows-UAC/Operational",
"level": "Information",
"title": "UAC auto-elevation — process elevated without user prompt",
"summary": "A process was automatically elevated to administrator privileges by UAC without displaying a consent dialog, using the auto-elevation path reserved for signed Windows binaries.",
"details": "Logged by the Microsoft-Windows-UAC provider when UAC grants a process administrator privileges via auto-elevation, without displaying a consent prompt. Auto-elevation is reserved for digitally-signed Microsoft binaries in System32 or SysWOW64. The Microsoft-Windows-UAC/Operational channel must be enabled to collect this event. Auto-elevation is the mechanism exploited by most documented UAC bypass techniques.",
"category": "Privilege Escalation",
"tags": [
"uac",
"uac-bypass",
"privilege-escalation",
"auto-elevation",
"defense-evasion"
],
"relatedEventIds": [
{
"id": 5,
"log": "UAC"
},
{
"id": 4688,
"log": "Security"
},
{
"id": 4703,
"log": "Security"
},
{
"id": 1,
"log": "Sysmon"
},
{
"id": 13,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1548.002",
"techniqueName": "Abuse Elevation Control Mechanism: Bypass User Account Control",
"tactics": [
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
}
],
"prerequisites": [
{
"type": "log-enablement",
"description": "The Microsoft-Windows-UAC/Operational channel is disabled by default and must be enabled before events will be collected.",
"command": "wevtutil sl Microsoft-Windows-UAC/Operational /e:true"
}
],
"notesGuidance": {
"investigationPivots": [
"Executable path — legitimate auto-elevation only occurs for digitally-signed Microsoft binaries under %SystemRoot%\\System32 or %SystemRoot%\\SysWOW64; any path outside these directories or any third-party executable is an immediate IOC",
"HKCU registry changes preceding the event — check Sysmon EID 13 for writes to HKCU\\Software\\Classes in the 60 seconds before the auto-elevation for COM hijacking evidence",
"Parent process — an auto-elevation spawned from an unusual parent (e.g., cmd.exe, wscript.exe, a non-administrative user context) is suspicious; Security 4688 / Sysmon 1 records the parent-child chain",
"User context — auto-elevation from a non-interactive or service account context is anomalous and warrants immediate review"
],
"commonFalsePositives": [
"Legitimate Windows administrative tools (mmc.exe, eventvwr.exe, diskmgmt.msc) auto-elevating during normal administrative work",
"Software installers and updaters from Microsoft that are signed and meet the auto-elevation criteria",
"Windows Update and servicing processes that use auto-elevation during patch installation"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works"
},
"volumeIndicator": "medium",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "ExePath",
"xpath": "EventData/Data[@Name='ExePath']",
"description": "Full path of the auto-elevated executable"
},
{
"name": "UserName",
"xpath": "EventData/Data[@Name='UserName']",
"description": "The user account under which the auto-elevation occurred"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "UAC Auto-Elevation Outside System32 — Possible UAC Bypass",
"rule": "Event\n| where Provider_Name == \"Microsoft-Windows-UAC\"\n| where EventID == 4\n| parse EventData with * \"<Data Name='ExePath'>\" ExePath \"</Data>\" *\n| where ExePath !startswith @\"C:\\Windows\\System32\"\n and ExePath !startswith @\"C:\\Windows\\SysWOW64\"\n and ExePath !startswith @\"C:\\Windows\\WinSxS\"\n| project TimeGenerated, Computer, ExePath, EventData",
"notes": "This rule will produce minimal noise since legitimate auto-elevation is almost exclusively from System32. Any hit outside those paths warrants investigation. Tune path exclusions for your environment if custom Microsoft-signed tooling is deployed."
},
{
"platform": "KQL",
"title": "UAC Auto-Elevation Preceded by HKCU Registry Write — COM Hijack Pattern",
"rule": "let AutoElevation = Event\n| where Provider_Name == \"Microsoft-Windows-UAC\"\n| where EventID == 4\n| project ElevationTime = TimeGenerated, Computer;\nlet HKCUWrite = Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 13\n| parse EventData with * \"<Data Name='TargetObject'>\" RegKey \"</Data>\" *\n| where RegKey has \"HKCU\\\\Software\\\\Classes\"\n| project RegWriteTime = TimeGenerated, Computer, RegKey;\nAutoElevation\n| join kind=inner HKCUWrite on Computer\n| where RegWriteTime < ElevationTime and RegWriteTime > datetime_add('second', -60, ElevationTime)\n| project ElevationTime, Computer, RegKey, RegWriteTime",
"notes": "This correlation rule is high-fidelity for registry-based UAC bypass techniques. Requires Sysmon with registry monitoring enabled (Event ID 13). The 60-second window covers the typical exploit pattern where the registry key is written and the bypass binary is immediately invoked."
},
{
"platform": "Sigma",
"title": "UAC Auto-Elevation Event",
"rule": "title: UAC Auto-Elevation Event\nstatus: experimental\nlogsource:\n product: windows\n service: uac-operational\n definition: Requires Microsoft-Windows-UAC/Operational channel enabled via wevtutil\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-UAC\n EventID: 4\n filter_system32:\n ExePath|startswith:\n - 'C:\\Windows\\System32\\'\n - 'C:\\Windows\\SysWOW64\\'\n - 'C:\\Windows\\WinSxS\\'\n condition: selection and not filter_system32\nfalsepositives:\n - Microsoft signed tools outside System32 (rare)\nlevel: high\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 5,
"log": "UAC",
"provider": "Microsoft-Windows-UAC",
"channel": "Microsoft-Windows-UAC/Operational",
"level": "Information",
"title": "UAC consent prompt displayed to user",
"summary": "UAC displayed an elevation consent dialog to the user for a process requesting administrative privileges, recording whether the user approved or denied.",
"details": "Logged when the UAC consent UI (consent.exe) presents an elevation prompt to the user. Records the executable requesting elevation, the requesting user, the privilege requested, and the user's response (approved or denied). The Microsoft-Windows-UAC/Operational channel must be enabled to collect this event.",
"category": "Privilege Escalation",
"tags": [
"uac",
"privilege-escalation",
"consent-prompt",
"user-interaction",
"elevation"
],
"relatedEventIds": [
{
"id": 4,
"log": "UAC"
},
{
"id": 4688,
"log": "Security"
},
{
"id": 4703,
"log": "Security"
},
{
"id": 1,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1548.002",
"techniqueName": "Abuse Elevation Control Mechanism: Bypass User Account Control",
"tactics": [
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
}
],
"prerequisites": [
{
"type": "log-enablement",
"description": "The Microsoft-Windows-UAC/Operational channel is disabled by default and must be enabled before events will be collected.",
"command": "wevtutil sl Microsoft-Windows-UAC/Operational /e:true"
}
],
"notesGuidance": {
"investigationPivots": [
"Executable path in the consent prompt — installers in %TEMP%, %APPDATA%, or user-writable directories are suspicious; expected elevation sources are %ProgramFiles% or %SystemRoot%",
"User response — an approved prompt for a suspicious binary is higher priority than a denied one, but both indicate the elevation attempt occurred",
"Frequency — more than 2-3 EID 5 events per day for a non-administrative user is anomalous on a managed workstation",
"Correlation with Security 4688 / Sysmon 1 — confirm what process started immediately after an approved consent (EID 5 approved followed by elevated process creation should follow within seconds)"
],
"commonFalsePositives": [
"Software installation and updates initiated by users (legitimate installers triggering UAC prompts)",
"Administrators performing routine system administration tasks that require elevation",
"IT deployment tools (e.g., PDQ Deploy, SCCM user-initiated installs) that prompt for UAC confirmation"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "ExePath",
"xpath": "EventData/Data[@Name='ExePath']",
"description": "Path of the executable requesting elevation"
},
{
"name": "UserName",
"xpath": "EventData/Data[@Name='UserName']",
"description": "The user who was prompted for elevation consent"
},
{
"name": "Decision",
"xpath": "EventData/Data[@Name='Decision']",
"description": "Whether the user approved or denied the elevation prompt"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "UAC Consent Prompt for Binary in User-Writable Location",
"rule": "Event\n| where Provider_Name == \"Microsoft-Windows-UAC\"\n| where EventID == 5\n| parse EventData with * \"<Data Name='ExePath'>\" ExePath \"</Data>\" *\n| where ExePath has_any (@\"\\AppData\\\", @\"\\Temp\\\", @\"\\Users\\\", @\"\\ProgramData\\\")\n and ExePath !has @\"\\AppData\\Local\\Microsoft\\\"\n| project TimeGenerated, Computer, ExePath, EventData",
"notes": "Elevation prompts for binaries in user-writable paths (AppData, Temp, ProgramData) are high-priority. Tune the exclusion list for legitimate tools deployed by your IT team to user profile directories."
},
{
"platform": "Sigma",
"title": "UAC Consent Prompt Presented to User",
"rule": "title: UAC Consent Prompt Presented to User\nstatus: experimental\nlogsource:\n product: windows\n service: uac-operational\n definition: Requires Microsoft-Windows-UAC/Operational channel enabled via wevtutil\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-UAC\n EventID: 5\n filter_programfiles:\n ExePath|startswith:\n - 'C:\\Program Files\\'\n - 'C:\\Program Files (x86)\\'\n - 'C:\\Windows\\'\n condition: selection and not filter_programfiles\nfalsepositives:\n - User-initiated software installations from Downloads or Desktop\n - IT-managed tools deployed to non-standard paths\nlevel: medium\ntags:\n - attack.privilege_escalation\n - attack.t1548.002"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 33,
"log": "UAC",
"provider": "Microsoft-Windows-UAC",
"channel": "Microsoft-Windows-UAC/Operational",
"level": "Information",
"title": "Application Information service started",
"summary": "The Application Information (AIS) service, which underpins UAC elevation prompts and token filtering, has started successfully.",
"details": "Logged when the Application Information service (AIS / AppInfo) starts successfully. The AIS is the Windows service responsible for processing UAC elevation requests, running consent.exe for interactive prompts, and creating elevated tokens for approved processes. The Microsoft-Windows-UAC/Operational channel must be enabled to collect this event. EID 33 is expected once per boot; a subsequent occurrence after EID 34 (service stop) during the same session indicates an unexpected service restart.",
"category": "Defense Evasion",
"tags": [
"uac",
"service-lifecycle",
"application-information-service",
"defense-evasion"
],
"relatedEventIds": [
{
"id": 34,
"log": "UAC"
},
{
"id": 4,
"log": "UAC"
},
{
"id": 5,
"log": "UAC"
},
{
"id": 7036,
"log": "System"
},
{
"id": 4688,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1548.002",
"techniqueName": "Abuse Elevation Control Mechanism: Bypass User Account Control",
"tactics": [
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
}
],
"prerequisites": [
{
"type": "log-enablement",
"description": "The Microsoft-Windows-UAC/Operational channel is disabled by default and must be enabled before events will be collected.",
"command": "wevtutil sl Microsoft-Windows-UAC/Operational /e:true"
}
],
"notesGuidance": {
"investigationPivots": [
"Is this the first EID 33 after boot, or a subsequent restart? Check for a preceding EID 34 (AIS service stop) to determine whether the service cycled unexpectedly",
"Correlation with System 7036 — confirms the service state change and records whether it was a normal start or a recovery from a failure",
"Process creation context — check Sysmon 1 for svchost.exe hosting the AppInfo service; unexpected parent or command-line arguments for the hosting svchost are anomalous"
],
"commonFalsePositives": [
"Normal system startup — EID 33 once per boot is expected",
"Service recovery after an unexpected crash of the AIS (Windows automatic service recovery restarts it)"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works"
},
"volumeIndicator": "rare",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "Message",
"xpath": "EventData/Data[@Name='Message']",
"description": "Confirms AIS startup; security value is in timing and recurrence rather than event content"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "Application Information Service Restart Mid-Session",
"rule": "Event\n| where Provider_Name == \"Microsoft-Windows-UAC\"\n| where EventID == 33\n| join kind=inner (\n Event\n | where Provider_Name == \"Microsoft-Windows-UAC\"\n | where EventID == 34\n | project StopTime = TimeGenerated, Computer\n) on Computer\n| where TimeGenerated > StopTime and TimeGenerated < datetime_add('minute', 5, StopTime)\n| project RestartTime = TimeGenerated, Computer, StopTime",
"notes": "AIS restarting within 5 minutes of a stop event (outside of system boot) is anomalous. The first EID 33 after boot will not have a corresponding EID 34 in the same session, so this query naturally filters to mid-session restarts."
},
{
"platform": "Sigma",
"title": "Application Information Service Started",
"rule": "title: Application Information Service Started\nstatus: informational\nlogsource:\n product: windows\n service: uac-operational\n definition: Requires Microsoft-Windows-UAC/Operational channel enabled via wevtutil\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-UAC\n EventID: 33\n condition: selection\nfalsepositives:\n - Normal system boot\nlevel: informational\ntags:\n - attack.defense_evasion\n - attack.t1548.002"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 34,
"log": "UAC",
"provider": "Microsoft-Windows-UAC",
"channel": "Microsoft-Windows-UAC/Operational",
"level": "Information",
"title": "Application Information service stopped",
"summary": "The Application Information (AIS) service, which underpins UAC elevation functionality, has stopped — an unexpected stop outside of system shutdown may indicate UAC enforcement disruption.",
"details": "Logged when the Application Information service (AIS / AppInfo) stops. Under normal conditions, the AIS runs continuously from boot to shutdown and does not stop except during system restart or explicit administrator action. The Microsoft-Windows-UAC/Operational channel must be enabled to collect this event. EID 34 is expected only at system shutdown (followed by System 6006/1074); a mid-session occurrence without a shutdown event indicates the service was deliberately stopped.",
"category": "Defense Evasion",
"tags": [
"uac",
"service-lifecycle",
"application-information-service",
"defense-evasion",
"privilege-escalation"
],
"relatedEventIds": [
{
"id": 33,
"log": "UAC"
},
{
"id": 4,
"log": "UAC"
},
{
"id": 5,
"log": "UAC"
},
{
"id": 7036,
"log": "System"
},
{
"id": 4688,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1548.002",
"techniqueName": "Abuse Elevation Control Mechanism: Bypass User Account Control",
"tactics": [
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
},
{
"techniqueId": "T1685",
"techniqueName": "Disable or Modify Tools",
"tactics": [
{
"tacticId": "TA0112",
"tacticName": "Defense Impairment"
}
]
}
],
"prerequisites": [
{
"type": "log-enablement",
"description": "The Microsoft-Windows-UAC/Operational channel is disabled by default and must be enabled before events will be collected.",
"command": "wevtutil sl Microsoft-Windows-UAC/Operational /e:true"
}
],
"notesGuidance": {
"investigationPivots": [
"Mid-session EID 34 — immediately check whether a system shutdown event (System 6006/1074) follows within 60 seconds; if not, the AIS was stopped while the system was running",
"Process that stopped the service — correlate Security 4688 / Sysmon 1 for sc.exe, net.exe, or PowerShell with 'stop AppInfo' or 'stop appinfo' arguments around the same timestamp",
"Follow-up EID 33 — a stop followed by a restart suggests deliberate manipulation; check for new or modified DLLs loaded by the restarted AIS process via Sysmon 7 (image loaded)"
],
"commonFalsePositives": [
"Normal system shutdown — EID 34 immediately followed by a System 6006/1074 shutdown event is expected behaviour",
"Service recovery restart after an unexpected AIS crash (Windows SCM automatically restarts the service)"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works"
},
"volumeIndicator": "rare",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "Message",
"xpath": "EventData/Data[@Name='Message']",
"description": "Confirms AIS shutdown; security value is in timing — mid-session occurrence is notable"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "Application Information Service Stopped Mid-Session",
"rule": "let AISStop = Event\n| where Provider_Name == \"Microsoft-Windows-UAC\"\n| where EventID == 34\n| project StopTime = TimeGenerated, Computer;\nlet SystemShutdown = Event\n| where EventID in (1074, 6006)\n| project ShutdownTime = TimeGenerated, Computer;\nAISStop\n| join kind=leftouter (SystemShutdown) on Computer\n| where isnull(ShutdownTime) or abs(datetime_diff('second', StopTime, ShutdownTime)) > 60\n| project StopTime, Computer",
"notes": "This query identifies AIS stops that are NOT followed by a system shutdown event within 60 seconds — the hallmark of a mid-session service stop. Requires the System log to be collected alongside UAC Operational events."
},
{
"platform": "KQL",
"title": "AIS Service Stop via Command Line",
"rule": "SecurityEvent\n| where EventID == 4688\n| where CommandLine has_any (\"AppInfo\", \"appinfo\")\n| where CommandLine has_any (\"stop\", \"Stop\")\n| where ParentProcessName !has \"services.exe\"\n| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName",
"notes": "Detects explicit service stop commands targeting AppInfo. Legitimate service management from services.exe (Windows SCM) is filtered. Commands from cmd.exe, PowerShell, or other parents warrant investigation."
},
{
"platform": "Sigma",
"title": "Application Information Service Stopped",
"rule": "title: Application Information Service Stopped\nstatus: experimental\nlogsource:\n product: windows\n service: uac-operational\n definition: Requires Microsoft-Windows-UAC/Operational channel enabled via wevtutil\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-UAC\n EventID: 34\n condition: selection\nfalsepositives:\n - Normal system shutdown sequence\nlevel: high\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1562.001"
}
],
"lastReviewed": "2026-05-10"
}
]
}