Bypass UAC via Sdclt

calendar Oct 15, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "development"
 5updated_date = "2023/10/13"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with
11elevated permissions.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Bypass UAC via Sdclt"
18risk_score = 73
19rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900"
20severity = "high"
21tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
22type = "eql"
23
24query = '''
25/* add winlogbeat-* when process.code_signature.* fields are populated */
26/* still needs testing, applicable binary was not available on test machine */
27
28sequence with maxspan=1m
29  [process where host.os.type == "windows" and event.type == "start" and process.name : "sdclt.exe" and
30     /* uncomment once in winlogbeat */
31     /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */
32     process.args : "/kickoffelev"
33  ] by process.entity_id
34  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sdclt.exe" and
35     not (process.executable : "C:\\Windows\\System32\\sdclt.exe" or
36          process.executable : "C:\\Windows\\System32\\control.exe" or
37          process.executable : "C:\\Windows\\SysWOW64\\sdclt.exe" or
38          process.executable : "C:\\Windows\\SysWOW64\\control.exe")
39  ] by process.parent.entity_id
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1548"
47name = "Abuse Elevation Control Mechanism"
48reference = "https://attack.mitre.org/techniques/T1548/"
49[[rule.threat.technique.subtechnique]]
50id = "T1548.002"
51name = "Bypass User Account Control"
52reference = "https://attack.mitre.org/techniques/T1548/002/"
53
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1218"
65name = "System Binary Proxy Execution"
66reference = "https://attack.mitre.org/techniques/T1218/"
67
68[[rule.threat.technique.subtechnique]]
69id = "T1218.014"
70name = "MMC"
71reference = "https://attack.mitre.org/techniques/T1218/014/"
72
73
74[rule.threat.tactic]
75id = "TA0005"
76name = "Defense Evasion"
77reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top