Potential Privilege Escalation Attempt Via .Exe.Local Technique
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation Attempt Via .Exe.Local Technique
2id: 07a99744-56ac-40d2-97b7-2095967b0e03
3status: test
4description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
5references:
6 - https://github.com/binderlabs/DirCreate2System
7 - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
8author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
9date: 2022/12/16
10modified: 2022/12/19
11tags:
12 - attack.defense_evasion
13 - attack.persistence
14 - attack.privilege_escalation
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|startswith:
21 - 'C:\Windows\System32\logonUI.exe.local'
22 - 'C:\Windows\System32\werFault.exe.local'
23 - 'C:\Windows\System32\consent.exe.local'
24 - 'C:\Windows\System32\narrator.exe.local'
25 - 'C:\Windows\System32\wermgr.exe.local'
26 TargetFilename|endswith: '\comctl32.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting - binderlabs/DirCreate2System
Read More -
collect for learning cases. Contribute to sailay1996/awesome_windows_logical_bugs development by creating an account on GitHub.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow