Bypass UAC Using DelegateExecute

 1title: Bypass UAC Using DelegateExecute
 2id: 46dd5308-4572-4d12-aa43-8938f0184d4f
 3status: test
 4description: Bypasses User Account Control using a fileless method
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
 7    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
 9author: frack113
10date: 2022-01-05
11modified: 2023-08-17
12tags:
13    - attack.privilege-escalation
14    - attack.t1548.002
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith: '\open\command\DelegateExecute'
21        Details: (Empty)
22    condition: selection
23falsepositives:
24    - Unknown
25level: high
26regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
27simulation:
28    - type: atomic-red-team
29      name: Bypass UAC using sdclt DelegateExecute
30      technique: T1548.002
31      atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7

References

• https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand

  
  Read More

• https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623

  
  Read More

• https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute

  
  Read More

Related rules

• Always Install Elevated MSI Spawned Cmd And Powershell
• Always Install Elevated Windows Installer
• Bypass UAC Using SilentCleanup Task
• Bypass UAC via CMSTP
• Bypass UAC via Fodhelper.exe