SigmaHQ/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml

title: UAC Bypass via sdclt
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
    - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13 
        TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
    condition: selection
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1088
    - car.2019-04-001
falsepositives:
    - unknown
level: high
Rule: UAC bypass via eventvwr, minor changes 2017-03-19 18:34:06 +00:00			`title: UAC Bypass via sdclt`
Create sysmon_sdclt_uac_bypass.yml UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields 2017-03-17 18:31:26 +00:00			`status: experimental`
			`description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/`
Create sysmon_sdclt_uac_bypass.yml UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields 2017-03-17 18:31:26 +00:00			`author: Omer Yampel`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Fixed rule 2017-03-17 21:09:53 +00:00			`selection:`
Create sysmon_sdclt_uac_bypass.yml UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields 2017-03-17 18:31:26 +00:00			`EventID: 13`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'`
Create sysmon_sdclt_uac_bypass.yml UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields 2017-03-17 18:31:26 +00:00			`condition: selection`
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 06:08:53 +00:00			`tags:`
Tag fixes 2018-08-07 06:18:16 +00:00			`- attack.defense_evasion`
			`- attack.privilege_escalation`
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 06:08:53 +00:00			`- attack.t1088`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2019-04-001`
Create sysmon_sdclt_uac_bypass.yml UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields 2017-03-17 18:31:26 +00:00			`falsepositives:`
			`- unknown`
			`level: high`
Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 09:44:53 +00:00