Bypass UAC via WSReset.exe

Apr 28, 2026 · attack.privilege-escalation attack.t1548.002 ·

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Sigma rule (View on GitHub)

 1title: Bypass UAC via WSReset.exe
 2id: d797268e-28a9-49a7-b9a8-2f5039011c5c
 3related:
 4    - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
 5      type: obsolete
 6status: test
 7description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
 8references:
 9    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
10    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
11    - https://www.activecyber.us/activelabs/windows-uac-bypass
12    - https://twitter.com/ReaQta/status/1222548288731217921
13author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
14date: 2019-10-24
15modified: 2022-05-13
16tags:
17    - attack.privilege-escalation
18    - attack.t1548.002
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\wsreset.exe'
25    filter:
26        - Image|endswith: '\conhost.exe'
27        - OriginalFileName: 'CONHOST.EXE'
28    condition: selection and not filter
29falsepositives:
30    - Unknown sub processes of Wsreset.exe
31level: high

Bypass UAC via WSReset.exe

Sigma rule (View on GitHub)

References

https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html

https://lolbas-project.github.io/lolbas/Binaries/Wsreset/

https://www.activecyber.us/activelabs/windows-uac-bypass

https://twitter.com/ReaQta/status/1222548288731217921

Related rules