This note documents detection patterns related to UAC Bypass within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects auto-elevated binary abuse and resulting payloads. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for bypass chains. |
| Sysmon | 13 | Registry value set | Critical | Common registry hijacks used by UAC bypass methods. |
| Sysmon | 12 | Registry object create/delete | High | Registry preparation before trigger. |
| Security | 4672 | Special privileges assigned | High | Elevated token appears after bypass. |
| Sysmon | 11 | File create | Medium | Payload or helper file staging. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Auto-elevated binary launches shell | fodhelper, computerdefaults, sdclt | Critical | Classic bypass pattern. |
| HKCU hijack before trigger | Shell open command override | Critical | Core registry primitive. |
| Elevated child without consent UI | Silent elevation | Critical | Strong bypass clue. |
| Temp/AppData payload launched elevated | User path elevated execution | Critical | Strong anomaly. |
| Registry cleanup after launch | Key removed quickly | High | Skilled operator behavior. |
| Short-lived auto-elevated process | Trigger binary exits fast | High | Common bypass timing. |
Common Tools
| Tool | Usage |
|---|---|
| fodhelper.exe | Registry hijack UAC bypass |
| computerdefaults.exe | Auto-elevated trigger |
| sdclt.exe | Legacy bypass |
| reg.exe | Registry setup |
| PowerShell | Registry automation |
Relevant Artifacts
- Security Event IDs 4688, 4672
- Sysmon Event IDs 1, 12, 13, 11
- Registry paths:
HKCU\Software\Classes\ms-settings\Shell\Open\command
- Trigger binaries:
fodhelper.execomputerdefaults.exesdclt.exe
- Prefetch for trigger binary
- Amcache / ShimCache
MITRE ATT&CK References
- T1548.002 Bypass User Account Control
Decision Tree
-
Which trigger binary?
- fodhelper
- computerdefaults
- sdclt
-
Registry modified?
- HKCU hijack
- Command override
-
Elevated child appears?
- cmd
- powershell
- payload
-
Cleanup observed?
- Registry delete
- Temp file removal
-
Expand:
- Adjacent privesc
- Persistence
- Defender tampering
-
Scope:
- Single bypass
- Repeated method
- Toolkit chain
Example Detection Templates
KQL
Sysmon
| where EventID == 13
| where TargetObject has "ms-settings"
| project TimeGenerated, Computer, TargetObject, Details
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("fodhelper.exe","computerdefaults.exe","sdclt.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName
EQL
registry where registry.path like "*ms-settings*"
sequence by host.name with maxspan=5m
[ registry where registry.path like "*ms-settings*" ]
[ process where process.parent.name in ("fodhelper.exe","computerdefaults.exe","sdclt.exe") ]
Sigma
title: UAC Bypass Detection
id: 4f2c8a13-uac-bypass
status: experimental
description: Detects registry-based UAC bypass techniques
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
keywords:
TargetObject|contains: 'ms-settings'
condition: selection and keywords
fields:
- TargetObject
- Details
falsepositives:
- Rare legitimate software
level: high
tags:
- attack.privilege_escalation
- attack.t1548.002
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Registry monitoring | Alert on ms-settings hijack | Critical | Core signal |
| Watch auto-elevated binaries | High-value trigger set | Critical | Low false positives |
| Preserve registry history | Catch cleanup attempts | High | Strong forensic value |
| UAC hardening | Highest notification level | High | Reduces abuse |
| Restrict local admin rights | Reduce trigger success | High | Prevent escalation |