Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
Sigma rule (View on GitHub)
1title: Function Call From Undocumented COM Interface EditionUpgradeManager
2id: fb3722e4-1a06-46b6-b772-253e2e7db933
3status: test
4description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
5references:
6 - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
7 - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
8author: oscd.community, Dmitry Uchakin
9date: 2020-10-07
10modified: 2023-11-30
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548.002
15logsource:
16 category: process_access
17 product: windows
18detection:
19 selection:
20 CallTrace|contains: 'editionupgrademanagerobj.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access