UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Sigma rule (View on GitHub)
1title: UAC Bypass WSReset
2id: 89a9a0e0-f61a-42e5-8957-b1479565a658
3status: test
4description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
7 - https://github.com/hfiref0x/UACME
8 - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
9author: Christian Burkard (Nextron Systems)
10date: 2021-08-23
11modified: 2024-12-01
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1548.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\wsreset.exe'
22 IntegrityLevel:
23 - 'High'
24 - 'System'
25 - 'S-1-16-16384' # System
26 - 'S-1-16-12288' # High
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Wsreset.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.
Read More -
Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks…
Read More
Related rules
- CMSTP UAC Bypass via COM Object Access
- Potential UAC Bypass Via Sdclt.EXE
- UAC Bypass Abusing Winsat Path Parsing - Process
- UAC Bypass Tools Using ComputerDefaults
- UAC Bypass Using ChangePK and SLUI