detection.wiki

Detection rules › Splunk

Windows Handle Duplication in Known UAC-Bypass Binaries

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1134.001 Access Token Manipulation: Token Impersonation/Theft
Defense EvasionT1134.001 Access Token Manipulation: Token Impersonation/Theft

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: search

search NOT SourceImage IN ("%systemroot%\\*", "*C:\\Program Files (x86)\\*", "*C:\\Program Files\\*", "*C:\\Windows\\system32\\*", "*C:\\Windows\\syswow64\\*") EventCode=10 TargetImage IN ("*\PkgMgr.exe", "*\\ComputerDefaults.exe", "*\\colorcpl.exe", "*\\esentutl.exe", "*\\eventvwr.exe*", "*\\fodhelper.exe", "*\\mmc.exe", "*\\sdclt.exe", "*\\slui.exe", "*\\wsreset.exe")

Stage 2: eval

eval ... using (GrantedAccess)

Stage 3: eval

eval ...

Stage 4: eval

eval ... using (PROCESS_DUP_HANDLE, g_access_decimal)

Stage 5: where

where

Stage 6: stats

stats BY SourceImage, TargetImage, GrantedAccess, PROCESS_DUP_HANDLE, g_access_decimal, dup_handle_set, Guid, Opcode, ProcessID, SecurityID, SourceProcessGUID, SourceProcessId, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, CallTrace, EventID

Stage 7: search

search

Stage 8: search

search

Stage 9: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1Imagein"%systemroot%\\*", "*C:\\Program Files (x86)\\*", "*C:\\Program Files\\*", "*C:\\Windows\\system32\\*", "*C:\\Windows\\syswow64\\*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 10 corpus 14 (splunk 14)
TargetImagein
  • "*\PkgMgr.exe"
  • "*\\ComputerDefaults.exe"
  • "*\\colorcpl.exe"
  • "*\\esentutl.exe"
  • "*\\eventvwr.exe*"
  • "*\\fodhelper.exe"
  • "*\\mmc.exe"
  • "*\\sdclt.exe"
  • "*\\slui.exe"
  • "*\\wsreset.exe"