UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Sigma rule (View on GitHub)
1title: UAC Bypass Using Iscsicpl - ImageLoad
2id: 9ed5959a-c43c-4c59-84e3-d28628429456
3status: test
4description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
5references:
6 - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
7 - https://twitter.com/wdormann/status/1547583317410607110
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-07-17
10modified: 2022-07-25
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548.002
15logsource:
16 product: windows
17 category: image_load
18detection:
19 selection:
20 Image: C:\Windows\SysWOW64\iscsicpl.exe
21 ImageLoaded|endswith: '\iscsiexe.dll'
22 filter:
23 ImageLoaded|contains|all:
24 - 'C:\Windows\'
25 - 'iscsiexe.dll'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager