UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Sigma rule (View on GitHub)
1title: UAC Bypass Using IDiagnostic Profile - File
2id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
3status: test
4description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
5references:
6 - https://github.com/Wh04m1001/IDiagnosticProfileUAC
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-03
9tags:
10 - attack.execution
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548.002
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith: '\DllHost.exe'
20 TargetFilename|startswith: 'C:\Windows\System32\'
21 TargetFilename|endswith: '.dll'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Audit CVE Event
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe