Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Sigma rule (View on GitHub)
1title: Explorer NOUACCHECK Flag
2id: 534f2ef7-e8a2-4433-816d-c91bccde289b
3status: test
4description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
5references:
6 - https://twitter.com/ORCA6665/status/1496478087244095491
7author: Florian Roth (Nextron Systems)
8date: 2022-02-23
9modified: 2022-04-21
10tags:
11 - attack.defense-evasion
12 - attack.t1548.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\explorer.exe'
19 CommandLine|contains: '/NOUACCHECK'
20 filter_dc_logon:
21 - ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
22 - ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
23 condition: selection and not 1 of filter_*
24falsepositives:
25 - Domain Controller User Logon
26 - Unknown how many legitimate software products use that method
27level: high
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access