UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Sigma rule (View on GitHub)
1title: UAC Bypass Using Iscsicpl - ImageLoad
2id: 9ed5959a-c43c-4c59-84e3-d28628429456
3status: test
4description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
5references:
6 - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
7 - https://twitter.com/wdormann/status/1547583317410607110
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/07/17
10modified: 2022/07/25
11tags:
12 - attack.defense_evasion
13 - attack.privilege_escalation
14 - attack.t1548.002
15logsource:
16 product: windows
17 category: image_load
18detection:
19 selection:
20 Image: C:\Windows\SysWOW64\iscsicpl.exe
21 ImageLoaded|endswith: '\iscsiexe.dll'
22 filter:
23 ImageLoaded|contains|all:
24 - 'C:\Windows\'
25 - 'iscsiexe.dll'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- UAC Bypass Using IDiagnostic Profile
- UAC Bypass Using IDiagnostic Profile - File
- Potentially Suspicious Event Viewer Child Process
- Bypass UAC Using DelegateExecute
- Disable UAC Using Registry