Detection: Windows Handle Duplication in Known UAC-Bypass Binaries

Description

The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.

Search

1`sysmon` EventCode=10 TargetImage IN("*\\ComputerDefaults.exe", "*\\eventvwr.exe*", "*\\fodhelper.exe","*\\slui.exe","*\\sdclt.exe","*\\mmc.exe", "*\\colorcpl.exe","*\\wsreset.exe","*\\esentutl.exe", "*\PkgMgr.exe") AND NOT (SourceImage IN ("*C:\\Windows\\system32\\*","*C:\\Windows\\syswow64\\*","*C:\\Program Files\\*", "*C:\\Program Files (x86)\\*","%systemroot%\\*")) 
2| eval g_access_decimal = tonumber(replace(GrantedAccess,"0x",""),16) 
3| eval PROCESS_DUP_HANDLE = 64 
4| eval dup_handle_set = bit_and (g_access_decimal, PROCESS_DUP_HANDLE) 
5| where dup_handle_set == PROCESS_DUP_HANDLE 
6| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage GrantedAccess PROCESS_DUP_HANDLE g_access_decimal dup_handle_set Guid Opcode ProcessID SecurityID SourceProcessGUID SourceProcessId  TargetProcessGUID TargetProcessId UserID dest granted_access parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product CallTrace EventID 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)` 
9| `windows_handle_duplication_in_known_uac_bypass_binaries_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 10	Windows	'XmlWinEventLog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

It is possible legitimate applications will request access to list of know abused Windows UAC binaries process, filter as needed.

Associated Analytic Story

• Castle RAT

Risk Based Analytics (RBA)

Risk Message:

A process $SourceImage$ is duplicating the handle token of $TargetImage$ on $dest$

References

• https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1