Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Sigma rule (View on GitHub)
1title: Bypass UAC Using DelegateExecute
2id: 46dd5308-4572-4d12-aa43-8938f0184d4f
3status: test
4description: Bypasses User Account Control using a fileless method
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
7 - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
9author: frack113
10date: 2022-01-05
11modified: 2023-08-17
12tags:
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1548.002
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith: '\open\command\DelegateExecute'
22 Details: (Empty)
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager
- HackTool - Empire PowerShell UAC Bypass