UAC Bypass ‑ Trusted Folder Abuse (WID 4688: credwiz.exe)

Question

I have received the following info about my active directory server 2016:

Detected potentially malicious process activity ('UAC Bypass ‑ Trusted Folder Abuse ') on your host #ADservername# by leveraging Red Cloak threat intelligence within the context of Windows process creation (WID 4688) logs.

Summary: UAC Bypass ‑ Trusted Folder Abuse (WID 4688: credwiz.exe) by "user account name here" on ADserverName\ServerIP

Kindly help me understand what this implies and what steps I should take.

Notes: This user does not sign out from the server and only "disconnects" and had recently (5 days ago) changed his password. Can this cause such an incident ?

score 1 · Accepted Answer · answered Jun 05 '21 at 10:14

The computer seems to be infected with a virus.

The UAC bypass through Trusted Folder abuse is a method for tricking Windows into running programs with Administrator permissions, by using a blank-terminated Windows \System32 folder.

The program doing it is named credwiz.exe. The name is legit, but the program may not be the one that is part of Windows.

See the post
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

UAC Bypass ‑ Trusted Folder Abuse (WID 4688: credwiz.exe)

1 Answers1