Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Sigma rule (View on GitHub)
1title: Bypass UAC Using DelegateExecute
2id: 46dd5308-4572-4d12-aa43-8938f0184d4f
3status: test
4description: Bypasses User Account Control using a fileless method
5references:
6 - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
7 - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
9author: frack113
10date: 2022/01/05
11modified: 2023/08/17
12tags:
13 - attack.privilege_escalation
14 - attack.defense_evasion
15 - attack.t1548.002
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith: '\open\command\DelegateExecute'
22 Details: (Empty)
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Exposes methods that set a given state or parameter related to the command verb, as well as a method to invoke that verb.
Read More -
The IExecuteCommand interface is a simpler form of context menu extension which takes care of the annoying parts of IContextMenu so you can focus on your area of expertise, namely, doing the actual thing the user selected, and leave the shell to doing the grunt work of managing the UI part.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Disable UAC Using Registry
- UAC Bypass Abusing Winsat Path Parsing - Registry
- UAC Bypass Using Windows Media Player - Registry
- UAC Bypass via Sdclt
- UAC Bypass Via Wsreset