SigmaHQ/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml

23 lines
601 B
YAML
Raw Normal View History

title: UAC Bypass via sdclt
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
logsource:
product: windows
service: sysmon
detection:
2017-03-17 21:09:53 +00:00
selection:
EventID: 13
2019-02-02 23:24:57 +00:00
TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
2018-08-07 06:08:53 +00:00
tags:
2018-08-07 06:18:16 +00:00
- attack.defense_evasion
- attack.privilege_escalation
2018-08-07 06:08:53 +00:00
- attack.t1088
falsepositives:
- unknown
level: high