UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
Sigma rule (View on GitHub)
1title: UAC Bypass Using IDiagnostic Profile
2id: 4cbef972-f347-4170-b62a-8253f6168e6d
3status: test
4description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
5references:
6 - https://github.com/Wh04m1001/IDiagnosticProfileUAC
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-03
9modified: 2024-12-01
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548.002
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\DllHost.exe'
21 ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
22 IntegrityLevel:
23 - 'High'
24 - 'System'
25 - 'S-1-16-16384' # System
26 - 'S-1-16-12288' # High
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Contribute to Wh04m1001/IDiagnosticProfileUAC development by creating an account on GitHub.
Read More
Related rules
- CMSTP UAC Bypass via COM Object Access
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- UAC Bypass Using IDiagnostic Profile - File
- Potential UAC Bypass Via Sdclt.EXE