Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

Sigma rule (View on GitHub)

 1title: Bypass UAC Using DelegateExecute
 2id: 46dd5308-4572-4d12-aa43-8938f0184d4f
 3status: test
 4description: Bypasses User Account Control using a fileless method
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
 7    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
 9author: frack113
10date: 2022/01/05
11modified: 2023/08/17
12tags:
13    - attack.privilege_escalation
14    - attack.defense_evasion
15    - attack.t1548.002
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|endswith: '\open\command\DelegateExecute'
22        Details: (Empty)
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top