UAC Bypass WSReset

 1title: UAC Bypass WSReset
 2id: 89a9a0e0-f61a-42e5-8957-b1479565a658
 3status: test
 4description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
 7    - https://github.com/hfiref0x/UACME
 8    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
 9author: Christian Burkard (Nextron Systems)
10date: 2021-08-23
11modified: 2022-10-09
12tags:
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1548.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\wsreset.exe'
22        IntegrityLevel:
23            - 'High'
24            - 'System'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

• Wsreset on LOLBAS

  

  Wsreset.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• GitHub - hfiref0x/UACME: Defeating Windows User Account Control

  

  Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.

  
  Read More

• FalconFriday — Detecting UAC Bypasses — 0xFF16

  

  Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks…

  
  Read More

Related rules

• Bypass UAC Using DelegateExecute
• Bypass UAC Using SilentCleanup Task
• Bypass UAC via CMSTP
• Bypass UAC via WSReset.exe
• CMSTP UAC Bypass via COM Object Access