Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
Sigma rule (View on GitHub)
1title: Function Call From Undocumented COM Interface EditionUpgradeManager
2id: fb3722e4-1a06-46b6-b772-253e2e7db933
3status: test
4description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
5references:
6 - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
7 - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
8author: oscd.community, Dmitry Uchakin
9date: 2020/10/07
10modified: 2023/11/30
11tags:
12 - attack.defense_evasion
13 - attack.privilege_escalation
14 - attack.t1548.002
15logsource:
16 category: process_access
17 product: windows
18detection:
19 selection:
20 CallTrace|contains: 'editionupgrademanagerobj.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- HackTool - UACMe Akagi Execution
- UAC Bypass via Event Viewer
- UAC Bypass Using IDiagnostic Profile
- UAC Bypass Using IDiagnostic Profile - File
- UAC Bypass Using Iscsicpl - ImageLoad