From c496e0b1497c7111e7e551e78eebae5d5e7223d4 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 19 Feb 2026 19:03:30 +0100 Subject: [PATCH] feat(rules): Add UAC bypass via Program Compatibility Assistant scheduled task hijack rule Detects attempts to bypass User Account Control (UAC) by abusing the Program Compatibility Assistant (PCA) scheduled task to achieve unauthorized privilege escalation. Adversaries can leverage a trusted Windows component and its associated task execution context to spawn elevated processes without triggering standard UAC consent prompts. --- ...bility_assistant_scheduled_task_hijack.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/privilege_escalation_uac_bypass_via_program_compatibility_assistant_scheduled_task_hijack.yml diff --git a/rules/privilege_escalation_uac_bypass_via_program_compatibility_assistant_scheduled_task_hijack.yml b/rules/privilege_escalation_uac_bypass_via_program_compatibility_assistant_scheduled_task_hijack.yml new file mode 100644 index 000000000..519d5f7fb --- /dev/null +++ b/rules/privilege_escalation_uac_bypass_via_program_compatibility_assistant_scheduled_task_hijack.yml @@ -0,0 +1,31 @@ +name: UAC bypass via Program Compatibility Assistant scheduled task hijack +id: 73de8712-f3a7-483e-b15f-6cc29c415511 +version: 1.0.0 +description: | + Detects attempts to bypass User Account Control (UAC) by abusing the + Program Compatibility Assistant (PCA) scheduled task to achieve unauthorized + privilege escalation. Adversaries can leverage a trusted Windows component and + its associated task execution context to spawn elevated processes without triggering + standard UAC consent prompts. +labels: + tactic.id: TA0004 + tactic.name: Privilege Escalation + tactic.ref: https://attack.mitre.org/tactics/TA0004/ + technique.id: T1548 + technique.name: Abuse Elevation Control Mechanism + technique.ref: https://attack.mitre.org/techniques/T1548/ + subtechnique.id: T1548.002 + subtechnique.name: Bypass User Account Control + subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/ +references: + - https://github.com/hfiref0x/UACME + +condition: > + spawn_process and + ps.parent.name ~= 'taskhostw.exe' and ps.token.integrity_level = 'HIGH' and + thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|kernel32.dll|pcadm.dll|ntdll.dll|KernelBase.dll|wdi.dll|*' and + not foreach(thread._callstack, $frame, $frame.module imatches '?:\\Windows\\System32\\pcadm.dll') + +severity: high + +min-engine-version: 3.0.0