TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Sigma rule (View on GitHub)
1title: TrustedPath UAC Bypass Pattern
2id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
3status: test
4description: Detects indicators of a UAC bypass method by mocking directories
5references:
6 - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
7 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
8 - https://github.com/netero1010/TrustedPath-UACBypass-BOF
9author: Florian Roth (Nextron Systems)
10date: 2021-08-27
11tags:
12 - attack.defense-evasion
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|contains: 'C:\Windows \System32\'
20 condition: selection
21falsepositives:
22 - Unknown
23level: critical
References
-
-
DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Read More -
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. - netero1010/TrustedPat...
Read More
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access