UAC Bypass Using MSConfig Token Modification - File

Apr 28, 2026 · attack.privilege-escalation attack.t1548.002 ·

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Sigma rule (View on GitHub)

 1title: UAC Bypass Using MSConfig Token Modification - File
 2id: 41bb431f-56d8-4691-bb56-ed34e390906f
 3status: test
 4description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
 5references:
 6    - https://github.com/hfiref0x/UACME
 7author: Christian Burkard (Nextron Systems)
 8date: 2021-08-30
 9modified: 2022-10-09
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.002
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\Users\'
19        TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

https://github.com/hfiref0x/UACME

Read More

Related rules

Always Install Elevated MSI Spawned Cmd And Powershell
Always Install Elevated Windows Installer
Bypass UAC Using DelegateExecute
Bypass UAC Using SilentCleanup Task
Bypass UAC via CMSTP