valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
440b0ddffe
SigmaHQ/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
Thomas Patzke 64fa3b162d
Tag fixes
2018-08-07 08:18:16 +02:00

23 lines
600 B
YAML
Raw Blame History

title: UAC Bypass via sdclt
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink