HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
Sigma rule (View on GitHub)
1title: HackTool - UACMe Akagi Execution
2id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
3status: test
4description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
5references:
6 - https://github.com/hfiref0x/UACME
7author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
8date: 2021-08-30
9modified: 2024-11-23
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_pe:
19 - Product: 'UACMe'
20 - Company:
21 - 'REvol Corp'
22 - 'APT 92'
23 - 'UG North'
24 - 'Hazardous Environments'
25 - 'CD Project Rekt'
26 - Description:
27 - 'UACMe main module'
28 - 'Pentesting utility'
29 - OriginalFileName:
30 - 'Akagi.exe'
31 - 'Akagi64.exe'
32 selection_img:
33 Image|endswith:
34 - '\Akagi64.exe'
35 - '\Akagi.exe'
36 selection_hashes_sysmon:
37 Hashes|contains:
38 - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
39 - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
40 - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
41 - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
42 - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
43 - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
44 - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
45 - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
46 - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
47 - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
48 - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
49 condition: 1 of selection_*
50falsepositives:
51 - Unknown
52level: high
References
-
Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP