COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Sigma rule (View on GitHub)
1title: COM Hijack via Sdclt
2id: 07743f65-7ec9-404a-a519-913db7118a8d
3status: test
4description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
5references:
6 - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
7 - https://www.exploit-db.com/exploits/47696
8author: Omkar Gudhate
9date: 2020-09-27
10modified: 2023-09-28
11tags:
12 - attack.privilege-escalation
13 - attack.t1546
14 - attack.t1548
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
License : Copyright Emeric Nasi, some rights reserved This work is licensed under a Creative Commons Attribution 4.0 International License. 1. Origin of the bypass As often with UAC, the flaw comes...
Read More -
Microsoft Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit).. local exploit for Windows platform
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- Linux Capabilities Discovery