rule: UAC Bypass via ICMLuaUtil

rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml

@@ -0,0 +1,28 @@
+title: UAC Bypass via ICMLuaUtil
+id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
+description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
+author: Florian Roth
+date: 2022/09/13
+status: experimental
+references:
+    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1548.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\dllhost.exe'
+        ParentCommandLine: 
+            - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+            - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
+    filter:
+        - Image|endswith: '\WerFault.exe'
+        - OriginalFileName: 'WerFault.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high