HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
Sigma rule (View on GitHub)
1title: HackTool - Empire PowerShell UAC Bypass
2id: 3268b746-88d8-4cd3-bffc-30077d02c787
3status: stable
4description: Detects some Empire PowerShell UAC bypass methods
5references:
6 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
7 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
8author: Ecco
9date: 2019-08-30
10modified: 2023-02-21
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548.002
15 - car.2019-04-001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains:
22 - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
23 - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
24 condition: selection
25fields:
26 - CommandLine
27 - ParentCommandLine
28falsepositives:
29 - Unknown
30level: critical
References
Related rules
- Potentially Suspicious Event Viewer Child Process
- UAC Bypass via Event Viewer
- UAC Bypass via Sdclt
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task