Addition to UAC Bypasses

rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml

@@ -1,11 +1,13 @@
 title: UAC Bypass Using Registry Shell Open Keys
 id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
-description: Detects the pattern of UAC Bypass using fodhelper.exe or computerdefaults.exe via registry keys (UACMe 33 or 62)
+description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
     - https://github.com/hfiref0x/UACME
+    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
+    - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -14,10 +16,18 @@ logsource:
     category: registry_event
     product: windows
 detection:
-    selection:
+    selection1:
         TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue'
         Details|contains: '\Software\Classes\{'
-    condition: selection
+    selection2:
+        TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute'
+    selection3:
+        TargetObject|endswith: '_Classes\ms-settings\shell\open\command\(Default)'
+    selection4:
+        TargetObject|endswith: '_Classes\exefile\shell\open\command\(Default)'
+    filter:
+        Details: '(Empty)'
+    condition: selection1 or selection2 or ( (selection3 or selection4) and not filter)
 falsepositives:
     - Unknown
 level: high