HackTool - UACMe Akagi Execution

 1title: HackTool - UACMe Akagi Execution
 2id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
 3status: test
 4description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
 5references:
 6    - https://github.com/hfiref0x/UACME
 7author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
 8date: 2021-08-30
 9modified: 2024-11-23
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.002
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_pe:
18        - Product: 'UACMe'
19        - Company:
20              - 'REvol Corp'
21              - 'APT 92'
22              - 'UG North'
23              - 'Hazardous Environments'
24              - 'CD Project Rekt'
25        - Description:
26              - 'UACMe main module'
27              - 'Pentesting utility'
28        - OriginalFileName:
29              - 'Akagi.exe'
30              - 'Akagi64.exe'
31    selection_img:
32        Image|endswith:
33            - '\Akagi64.exe'
34            - '\Akagi.exe'
35    selection_hashes_sysmon:
36        Hashes|contains:
37            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
38            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
39            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
40            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
41            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
42            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
43            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
44            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
45            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
46            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
47            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
48    condition: 1 of selection_*
49falsepositives:
50    - Unknown
51level: high