feat(rules): Add UAC bypass via Program Compatibility Assistant scheduled task hijack rule

Detects attempts to bypass User Account Control (UAC) by abusing the Program Compatibility Assistant (PCA) scheduled task to achieve unauthorized privilege escalation. Adversaries can leverage a trusted Windows component and its associated task execution context to spawn elevated processes without triggering standard UAC consent prompts.

Author: rabbitstack

rules/privilege_escalation_uac_bypass_via_program_compatibility_assistant_scheduled_task_hijack.yml

@@ -0,0 +1,31 @@
+name: UAC bypass via Program Compatibility Assistant scheduled task hijack
+id: 73de8712-f3a7-483e-b15f-6cc29c415511
+version: 1.0.0
+description: |
+  Detects attempts to bypass User Account Control (UAC) by abusing the
+  Program Compatibility Assistant (PCA) scheduled task to achieve unauthorized
+  privilege escalation. Adversaries can leverage a trusted Windows component and
+  its associated task execution context to spawn elevated processes without triggering
+  standard UAC consent prompts.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+
+condition: >
+  spawn_process and
+  ps.parent.name ~= 'taskhostw.exe' and ps.token.integrity_level = 'HIGH' and
+  thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|kernel32.dll|pcadm.dll|ntdll.dll|KernelBase.dll|wdi.dll|*' and
+  not foreach(thread._callstack, $frame, $frame.module imatches '?:\\Windows\\System32\\pcadm.dll')
+
+severity: high
+
+min-engine-version: 3.0.0