Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Sigma rule (View on GitHub)
1title: Explorer NOUACCHECK Flag
2id: 534f2ef7-e8a2-4433-816d-c91bccde289b
3status: test
4description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
5references:
6 - https://twitter.com/ORCA6665/status/1496478087244095491
7author: Florian Roth (Nextron Systems)
8date: 2022-02-23
9modified: 2022-04-21
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\explorer.exe'
20 CommandLine|contains: '/NOUACCHECK'
21 filter_dc_logon:
22 - ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
23 - ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
24 condition: selection and not 1 of filter_*
25falsepositives:
26 - Domain Controller User Logon
27 - Unknown how many legitimate software products use that method
28level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Bypass UAC via Fodhelper.exe
- PowerShell Web Access Feature Enabled Via DISM
- Sdclt Child Processes