HackTool - UACMe Akagi Execution

calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
Share on: linkedin copy

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Sigma rule (View on GitHub)

 1title: HackTool - UACMe Akagi Execution
 2id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
 3status: test
 4description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
 5references:
 6    - https://github.com/hfiref0x/UACME
 7author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
 8date: 2021/08/30
 9modified: 2022/11/19
10tags:
11    - attack.defense_evasion
12    - attack.privilege_escalation
13    - attack.t1548.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_pe:
19        - Product: 'UACMe'
20        - Company:
21              - 'REvol Corp'
22              - 'APT 92'
23              - 'UG North'
24              - 'Hazardous Environments'
25              - 'CD Project Rekt'
26        - Description:
27              - 'UACMe main module'
28              - 'Pentesting utility'
29        - OriginalFileName:
30              - 'Akagi.exe'
31              - 'Akagi64.exe'
32    selection_img:
33        Image|endswith:
34            - '\Akagi64.exe'
35            - '\Akagi.exe'
36    selection_hashes_sysmon:
37        Hashes|contains:
38            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
39            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
40            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
41            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
42            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
43            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
44            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
45            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
46            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
47            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
48            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
49    selection_hashes_other:
50        Imphash:
51            - '767637c23bb42cd5d7397cf58b0be688'
52            - '14c4e4c72ba075e9069ee67f39188ad8'
53            - '3c782813d4afce07bbfc5a9772acdbdc'
54            - '7d010c6bb6a3726f327f7e239166d127'
55            - '89159ba4dd04e4ce5559f132a9964eb3'
56            - '6f33f4a5fc42b8cec7314947bd13f30f'
57            - '5834ed4291bdeb928270428ebbaf7604'
58            - '5a8a8a43f25485e7ee1b201edcbc7a38'
59            - 'dc7d30b90b2d8abf664fbed2b1b59894'
60            - '41923ea1f824fe63ea5beb84db7a3e74'
61            - '3de09703c8e79ed2ca3f01074719906b'
62    condition: 1 of selection_*
63falsepositives:
64    - Unknown
65level: high

References

Related rules

to-top