This artifact will return COM objects that auto-elevate and bypass UAC (these could potentially be used by adversaries/malware to elevate privileges), and cross-reference the class ID with a name where able.
name: Windows.Registry.COMAutoApprovalList
author: Wes Lambert - @therealwlambert
description: |
This artifact will return COM objects that auto-elevate and bypass UAC (these could potentially be used by adversaries/malware to elevate privileges), and cross-reference the class ID with a name where able.
reference:
- https://twitter.com/d4rksystem/status/1562507028337131520?s=20&t=3k45RhMaSRvLr6kNc0fdKg
- https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
parameters:
- name: KeyGlob
default: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList\**
- name: ClsidGlob
default: HKLM\SOFTWARE\Classes\CLSID\
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT {
SELECT Data.value
FROM stat(filename=ClsidGlob + OSPath.Basename + "\\@",
accessor="registry")
} AS Name,
Data.value AS Enabled,
OSPath.Basename AS GUID,
OSPath AS ApprovalKey,
Mtime
FROM glob(globs=KeyGlob, accessor="registry") ORDER BY Mtime DESC