Adversaries may use UAC elevation through consent.exe to gain elevated privileges without triggering standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts that bypass traditional security controls.
KQL Query
let TimeTolerance = 30m;
DeviceProcessEvents
| where FileName =~ 'consent.exe'
| extend parsedCommandLine = split(ProcessCommandLine,' ')
| project ElevationTime = Timestamp, DeviceId, ElevatedProcessId = tolong(parsedCommandLine[1])
| join kind=inner (
DeviceProcessEvents
| where ProcessTokenElevation == 'TokenElevationTypeFull'
) on DeviceId, $left.ElevatedProcessId == $right.ProcessId
| where ElevationTime - Timestamp <= TimeTolerance
| project-away DeviceId1
name: detect-uac-elevation
description: |
This query identifies UAC elevated processes by analyzing launches of consent.exe (the process that performs UAC elevation).
The first parameter of consent.exe is the process ID being elevated, therefore we extract this value and use a combination of
that ID and the DeviceId to join it with processes that ran UAC elevated on the device. Given that process IDs can be reused,
a time filter is performed to ensure that the elevation request and the process launch occur within a specified period of time
(as written 30 minutes).
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
let TimeTolerance = 30m;
DeviceProcessEvents
| where FileName =~ 'consent.exe'
| extend parsedCommandLine = split(ProcessCommandLine,' ')
| project ElevationTime = Timestamp, DeviceId, ElevatedProcessId = tolong(parsedCommandLine[1])
| join kind=inner (
DeviceProcessEvents
| where ProcessTokenElevation == 'TokenElevationTypeFull'
) on DeviceId, $left.ElevatedProcessId == $right.ProcessId
| where ElevationTime - Timestamp <= TimeTolerance
| project-away DeviceId1
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Task Running with UAC Elevation
Description: A legitimate scheduled task may require elevation to perform administrative tasks, such as updating software or configuring system settings.
Filter/Exclusion: Check the TaskName or TaskDescription fields to exclude known administrative tasks (e.g., UpdateSoftwareTask, SystemMaintenanceTask).
Example Filter: TaskName not in ("UpdateSoftwareTask", "SystemMaintenanceTask")
Scenario: Microsoft System Configuration Tool (msconfig.exe) Launching Consent.exe
Description: When users use msconfig.exe to configure boot options or services, it may trigger a UAC elevation prompt, which could be logged as a consent.exe launch.
Filter/Exclusion: Check the parent process (ParentProcess) to exclude msconfig.exe or msconfig.exe related processes.
Example Filter: ParentProcess != "msconfig.exe"
Scenario: Windows Update or Patching Process Using Consent.exe
Description: Windows Update or other patching tools may use consent.exe to elevate privileges during system updates.
Filter/Exclusion: Check the command line arguments or process name to identify known update tools (e.g., wusa.exe, setup.exe).
Example Filter: ProcessName not in ("wusa.exe", "setup.exe")
Scenario: Admin Tools Like PowerShell or Command Prompt Launching Consent.exe
Description: When administrators use PowerShell or Command Prompt to run scripts or commands that require elevation, the system may prompt for UAC, leading to a consent.exe launch.
Filter/Exclusion: Check the parent process (ParentProcess) to exclude powershell.exe or cmd.exe.
Example Filter: `ParentProcess not in (“powershell.exe”, “cmd