Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Sigma rule (View on GitHub)
1title: Bypass UAC Using DelegateExecute
2id: 46dd5308-4572-4d12-aa43-8938f0184d4f
3status: test
4description: Bypasses User Account Control using a fileless method
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
7 - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
9author: frack113
10date: 2022-01-05
11modified: 2023-08-17
12tags:
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1548.002
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith: '\open\command\DelegateExecute'
22 Details: (Empty)
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Exposes methods that set a given state or parameter related to the command verb, as well as a method to invoke that verb.
Read More -
The IExecuteCommand interface is a simpler form of context menu extension which takes care of the annoying parts of IContextMenu so you can focus on your area of expertise, namely, doing the actual thing the user selected, and leave the shell to doing the grunt work of managing the UI part. I’ve never needed a […]
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access
- Function Call From Undocumented COM Interface EditionUpgradeManager