UAC Bypass Analysis

What is it & Why it matters?

What to look for?

How?

Where to begin?

UAC bypass alerts triggered from threat feed sources

Look for Commonalities…

Observation 1 — A number of activities happen between start & end of consent.exe

A number of cross-process activities between the start & end of consent.exe (PID 3712)

Observation 2 — One or more consent.exe process(es) start & end happened within a short span of time

time-line of setupsqm.exe UAC bypass

It’s all about timing…

Regedit

Regedit process relationship in Windows 10
Legit Regedit elevation in Win10

Admin CMD Console (Windows client)

Again 2 seconds within SVCHOST timeline
Time-line of elevated CMD.exe

Program Installer

SVCHOST time-line related to Installer run
Time-line for setup_timefreeze.exe

Generalised Detection