From f8c040562ad58b852cbd18710fcbcd8a5abdb0aa Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 19 Feb 2026 19:12:49 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via RequestTrace scheduled task
 hijack rule

Identifies attempts to bypass User Account Control (UAC) by abusing the RequestTrace scheduled task, a lesser-known but powerful auto-elevated Windows mechanism that can be repurposed by attackers to gain administrative-level execution without user consent.
---
 ...via_requesttrace_scheduled_task_hijack.yml | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_requesttrace_scheduled_task_hijack.yml

diff --git a/rules/privilege_escalation_uac_bypass_via_requesttrace_scheduled_task_hijack.yml b/rules/privilege_escalation_uac_bypass_via_requesttrace_scheduled_task_hijack.yml
new file mode 100644
index 000000000..5b10b4d50
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_requesttrace_scheduled_task_hijack.yml
@@ -0,0 +1,33 @@
+name: UAC bypass via RequestTrace scheduled task hijack
+id: ba86dd4c-e4a9-4b67-94d5-fdea513f1f1a
+version: 1.0.0
+description: |
+  Identifies attempts to bypass User Account Control (UAC) by abusing
+  the RequestTrace scheduled task, a lesser-known but powerful auto-elevated
+  Windows mechanism that can be repurposed by attackers to gain administrative-level
+  execution without user consent.
+  RequestTrace scheduled task can be started by pressing SHIFT+CTRL+WIN+T opening a
+  stealthy attack vector for adversaries.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+  - https://github.com/R41N3RZUF477/RequestTrace_UAC_Bypass
+
+condition: >
+  spawn_process and
+  ps.parent.name ~= 'taskhostw.exe' and ps.token.integrity_level = 'HIGH' and
+  thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|*PerformanceTraceHandler.dll*' and
+  not foreach(thread._callstack, $frame, $frame.module imatches '?:\\Windows\\System32\\PerformanceTraceHandler.dll')
+
+severity: high
+
+min-engine-version: 3.0.0