Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Sigma rule (View on GitHub)
1title: Shell Open Registry Keys Manipulation
2id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
3status: test
4description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
5references:
6 - https://github.com/hfiref0x/UACME
7 - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
8 - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
9 - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
10author: Christian Burkard (Nextron Systems)
11date: 2021-08-30
12modified: 2022-01-13
13tags:
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.t1548.002
17 - attack.t1546.001
18logsource:
19 category: registry_event
20 product: windows
21detection:
22 selection1:
23 EventType: SetValue
24 TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
25 Details|contains: '\Software\Classes\{'
26 selection2:
27 TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
28 selection3:
29 EventType: SetValue
30 TargetObject|endswith:
31 - 'Classes\ms-settings\shell\open\command\(Default)'
32 - 'Classes\exefile\shell\open\command\(Default)'
33 filter_sel3:
34 Details: '(Empty)'
35 condition: selection1 or selection2 or (selection3 and not filter_sel3)
36falsepositives:
37 - Unknown
38level: high
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager