From d126565323538a6754a3849c6538b46966bc96b9 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 11 Feb 2026 21:03:31 +0100
Subject: [PATCH] feat(rules): Add Potential privilege escalation via elevated
 IFileOperation COM interface rule

Identifies potential privilege escalation attempts through abuse of the elevated IFileOperation COM interface to bypass User Account Control (UAC) and gain unauthorized
administrative privileges. Adversaries leverage trusted Windows components and auto-elevated COM objects to perform file operations in protected system locations.
---
 rules/macros/macros.yml                       |  3 ++
 ..._elevated_ifileoperation_com_interface.yml | 52 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 rules/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation_com_interface.yml

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index f8169a236..7b0ed7c8f 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -37,6 +37,9 @@
 - macro: set_file_information
   expr: evt.name = 'SetFileInformation'
 
+- macro: move_file
+  expr: evt.name = 'CreateFile' and thread.callstack.symbols imatches ('KernelBase.dll!MoveFile*')
+
 - macro: query_registry
   expr: evt.name in ('RegQueryKey', 'RegQueryValue') and registry.status = 'Success'
 
diff --git a/rules/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation_com_interface.yml b/rules/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation_com_interface.yml
new file mode 100644
index 000000000..a3c6f61ac
--- /dev/null
+++ b/rules/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation_com_interface.yml
@@ -0,0 +1,52 @@
+name: Potential privilege escalation via elevated IFileOperation COM interface
+id: e2e09014-78ad-4a73-9178-ba33c74f7839
+version: 1.0.0
+description: |
+  Identifies potential privilege escalation attempts through abuse of the elevated
+  IFileOperation COM interface to bypass User Account Control (UAC) and gain unauthorized
+  administrative privileges. Adversaries leverage trusted Windows components and auto-elevated
+  COM objects to perform file operations in protected system locations.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+  - https://fuzzysecurity.com/tutorials/27.html
+  - https://github.com/3gstudent/Use-COM-objects-to-bypass-UAC/blob/master/IFileOperation.cpp
+
+condition: >
+  sequence
+  maxspan 2m
+    |ps.name ~= 'dllhost.exe' and
+     ((create_file) or (move_file)) and ps.sid imatches ('S-1-5-21-*') and
+     (file.is_dll or file.extension iin ('.dll', '.dl~')) and
+     file.path imatches
+              (
+                '?:\\Windows\\System32\\*',
+                '?:\\Windows\\SysWoW64\\*',
+                '?:\\Program Files\\*',
+                '?:\\Program Files (x86)\\*'
+              )
+    | by file.path.stem
+    |load_dll and
+     ps.exe imatches
+              (
+                '?:\\Windows\\System32\\*',
+                '?:\\Windows\\SysWoW64\\*',
+                '?:\\Program Files\\*',
+                '?:\\Program Files (x86)\\*'
+              )
+    | by dll.path.stem
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0