valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
32ecb81630
SigmaHQ/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00

27 lines
756 B
YAML
Raw Blame History

title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
date: 2017/03/17
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
# usrclass.dat is mounted on HKU\USERSID_Classes\...
TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
- attack.t1548.002
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink