Strange alert about slui.exe

joyner · June 18, 2023, 2:13am

Appreciate any thoughts about this.

The fact that google returns zero hits about “MEMEPMShExt” bothers me greatly.

As far as we can tell, the computers are clean and the network is quiet. Has anyone else seen this and if so, any suggestions?

TIA

InsightIDR has reported the following incident for **[name redacted windows 10 laptop]*:*

***ATTACKER BEHAVIOR DETECTED***
Suspicious Process - Potential SLUI.exe UAC Bypass

Part of the full event:

{
  "hostname": "[REDACTED]",
  "dns_domain": "[REDACTED]",
  "os_type": "WINDOWS",
  "r7_hostid": "[REDACTED]",
  "process": {
    "start_time": "2023-06-17T06:47:16.473Z",
    "name": "reg.exe",
    "pid": 7932,
    "r7_id": "{cf0c003a-56f4-648d-4209-000000001600}",
    "exe_path": "C:\\Windows\\System32\\reg.exe",
    "cmd_line": "C:\\Windows\\system32\\reg.exe DELETE \"HKLM\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\MEMEPMShExt\" /f ",
    "username": "NT AUTHORITY\\SYSTEM",
    "session": 0,
    "exe_file": {
      "owner": "NT SERVICE\\TrustedInstaller",
      "orig_filename": "reg.exe",
      "description": "Registry Console Tool",
      "product_name": "Microsoft® Windows® Operating System",
      "version": "10.0.22621.1 (WinBuild.160101.0800)",
      "created": "2022-05-07T05:20:02.683Z",
      "last_modified": "2022-05-07T05:20:02.683Z",
      "size": 102400,
      "internal_name": "reg.exe",
      "hashes": {
        "md5": "cdb58d0bcabe76afc60428f364834463",
        "sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
        "sha1": "979f280b1226e064cc79020b25fb8c40d9fb0008"
      }
    },

ebennick · July 7, 2023, 6:38am

There is a POC discussion how to abuse slui.exe to achieve privilege escalation here:
slui.exe (ChangePK) Privilege escalation POC · GitHub

It’s hard to tell, there isn’t enough information to make a determination. MEMEPM seems like it’s an abbreviation for Microsoft Endpoint Manager. It could be part of an exploit was detected, or it could be someone being a jerk and taking advantage of an exploit to install their own stuff.

We occasional get people attempting to replace the accessibility icon located in the lower right corner of the Windows login page with a shortcut to cmd.exe or powershell. They do this because it can provide access to a system level shell without authentication so they can do whatever they want without having to go through the correct process to request a software review or get an account for performing admin functions.