COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Sigma rule (View on GitHub)
1title: COM Hijack via Sdclt
2id: 07743f65-7ec9-404a-a519-913db7118a8d
3status: test
4description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
5references:
6 - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
7 - https://www.exploit-db.com/exploits/47696
8author: Omkar Gudhate
9date: 2020-09-27
10modified: 2023-09-28
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1546
16 - attack.t1548
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
This site is about IT security. Here we present the authors articles and security tools. This site is cooperative, feel free to comment and criticize any article/application. If you want to publish your articles and/or applications on this site, send a request to contact[at]sevagas.com.
Read More -
Microsoft Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit).. local exploit for Windows platform
Read More
Related rules
- AWS Suspicious SAML Activity
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Control Panel Items
- Suspicious Get-Variable.exe Creation