Elevate.exe Understanding the Uses and Abuses

 Hello World.

TL;DR elevate.exe is an open-source UAC helper that is commonly bundled with Windows installers and some Electron builds — usually legitimate, but occasionally recompiled/signed and abused by threat actors (notably observed in recent EvilAI, TamperedChef, and BaoLoader campaigns)

I was reading through an article by TRUESEC, and one thing that struck myself and my peers was the elevate.exe file that exists in the samples that were analyzed.

I mentioned to my peer that I see this file in many electron apps I've analyzed this year. We kicked around the idea of how to build detection for this, but we needed to understand what it is.

Firstly, as pointed out by TRUESEC, elevate.exe is a tool by Johannes Passing, found on the github repo. The tool can be shipped/packaged with windows executables which, on their own do not elevate privileges, this helper will invoke UAC to elevate privileges of the designated application.

Initially, after reading this, it seems that hunting for this executable alone, whether in a large environment, or through malware repositories/sandboxes may yield a lot of false positives, this could be time consuming on its own to use as an indicator.

With that said, it is an application that can be used for abuse, eSENTIRE shows one example of this. I also ran across this tweet which suggests that signed versions of elevate.exe can be used for privilege escalation, could be useful for red teamers, but it also could be useful for attackers. 

So, I thought, what if I narrow my scope to just signed versions of this file. Well, this query in VirusTotal unfortunately produced nearly 10 thousand results! 

name:"Elevate.exe" tag:signed imphash:c3afe98a750f2d4f1ed5d2ac323cb5e0 tag:detect-debug-environment tag:overlay

I drilled into a few of these, and so many were part of Electron applications. This got me curious. A little more research, and I found that using packElevateHelper in the electron build process, you can package elevate.exe in with the package. 

Additionally, signing these elevate.exe files as part of the build helps ensure the tool will run properly. So, it would seem that simply hunting for, or detecting on signed elevate.exe is also likely to produce many false positives.

Attempting to look at the 7z file that drops elevate.exe, with additional filters, still gives too many results to parse through.

behaviour_files:elevate.exe entity:file tag:contains-pe name:app-64.7z behaviour_processes:"node_modules" behaviour_files:d3dcompiler_47.dll size:60MB+ size:150MB-

This begs the question, how would you detect on suspicious or malicious use of the presence of elevate.exe in your environment? How would you hunt for samples in the wild that drop elevate.exe? 

At the moment, I suggest limiting your scope to a single day view at a time, hunting through suspect application names and paths.