HackTool - Empire PowerShell UAC Bypass
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - Empire PowerShell UAC Bypass | Standard | Windows Security Event Log (Process Creation) Sysmon (ProcessCreate Event) | T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects Empire post-exploitation framework PowerShell User Account Control (UAC) bypass methods using specific PowerShell command parameters that attempt to elevate privileges without user consent.
Severity
Critical
Rule journey
Attack chain scenario
Initial Access → Execution → Privilege Escalation and Defense Evasion via UAC Bypass → Impact
Impact
Privilege escalation enabling stealthy execution of malicious code with administrative rights.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller as admin
- Open GPMC (type gpmc.msc in Run)
- Edit or create a GPO linked to the target OU
- Go to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
- Enable Audit Process Creation and Audit Process Termination (check Success)
- Go to: Computer Configuration > Administrative Templates > System > Audit Process Creation
- Enable "Include command line in process creation events"
- Ensure registry path exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download Sysmon from Microsoft Sysinternals
- Open Command Prompt as admin
- Use or create a config with process creation logging
- Install Sysmon with: sysmon.exe -i config.xml
- Config must include a ProcessCreate rule to capture all process creations
- Ensure registry path exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND COMMANDLINE contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update), -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Security Standards
Auditing, privileged account management, software patching, and enforcing strong UAC policies to mitigate bypass risks.
Author
Ecco
Future actions
Known False Positives
Unknown; detection based on specific PowerShell command patterns related to UAC bypass.
Next Steps
- Audit for UAC bypass weaknesses and remediate.
- Remove users from local administrator groups as appropriate.
- Update Windows OS to latest patches.
- Enforce highest UAC settings and mitigate bypass techniques such as DLL search order hijacking.
- Monitor process creation with matching PowerShell parameters for privilege escalation attempts.
Mitigation
Mitigation ID | Name | Description |
M1047 | Audit | Check for common UAC bypass weaknesses on Windows systems to understand risk posture and address identified issues. |
M1026 | Privileged Account Management | Remove unnecessary users from the local administrator group to minimize privilege escalation opportunities. |
M1051 | Update Software | Keep Windows systems updated with the latest patches to leverage new protections against UAC bypass techniques. |
M1052 | User Account Control | Enforce the highest UAC enforcement level possible. Mitigate known bypass methods such as DLL Search Order Hijacking to reduce bypass opportunities. |
