Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
Sigma rule (View on GitHub)
1title: Function Call From Undocumented COM Interface EditionUpgradeManager
2id: fb3722e4-1a06-46b6-b772-253e2e7db933
3status: test
4description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
5references:
6 - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
7 - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
8author: oscd.community, Dmitry Uchakin
9date: 2020-10-07
10modified: 2023-11-30
11tags:
12 - attack.privilege-escalation
13 - attack.t1548.002
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 CallTrace|contains: 'editionupgrademanagerobj.dll'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP