valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5d85bbba56
SigmaHQ/rules/windows/registry_event/sysmon_comhijack_sdclt.yml

27 lines
723 B
YAML
Raw Normal View History

updated name
2020-09-27 16:27:19 +00:00
title: COM Hijack via Sdclt
Update sysmon_comhijack_uac_bypass.yml
2020-09-27 16:14:41 +00:00
id: 07743f65-7ec9-404a-a519-913db7118a8d
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 15:49:04 +00:00
status: experimental
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
added event type & changed technique
2020-10-02 03:52:14 +00:00
author: Omkar Gudhate
date: 2020/09/27
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 15:49:04 +00:00
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
Update sysmon_comhijack_uac_bypass.yml
2020-09-27 16:14:41 +00:00
tags:
- attack.privilege_escalation
Updated fields & renamed
2020-09-27 16:22:59 +00:00
- attack.t1546
- attack.t1548
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 15:49:04 +00:00
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject:
- 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
added event type & changed technique
2020-10-02 03:52:14 +00:00
EventType:
- SetValue
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 15:49:04 +00:00
condition: selection
falsepositives:
- unknown
Update sysmon_comhijack_uac_bypass.yml
2020-09-27 16:14:41 +00:00
level: high
Reference in New Issue Copy Permalink