From 3f148e6c7c36c98f67833663af1dfdfd66b94c1a Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Sun, 27 Sep 2020 21:19:04 +0530
Subject: [PATCH] COM hijack of shell folder to execute arbitrary application &
 UAC bypass using sdclt.

---
 .../sysmon_comhijack_uac_bypass.yml           | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml

diff --git a/rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml b/rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml
new file mode 100644
index 00000000..a44072de
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml
@@ -0,0 +1,25 @@
+title: COM hijack & UAC bypass via Sdclt
+status: experimental
+description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+references:
+    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
+    - https://www.exploit-db.com/exploits/47696
+author: Omkar Gudhate
+date: 2020/09/27
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        TargetObject:
+            - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+            - 'HKCU\Software\Classes\Folder\shell\open\command'
+    condition: selection
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.T1546.015
+    - attack.T1548.002
+falsepositives:
+    - unknown
+level: high
\ No newline at end of file