title: UAC Bypass via sdclt status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel logsource: product: windows service: sysmon detection: selection: EventID: 13 TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1088 falsepositives: - unknown level: high