Explorer UAC Bypass Via /NOUACCHECK Parameter

calendar Jul 17, 2023 · attack.privilege_escalation attack.T1548.002  ·
Share on: linkedin copy

Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.

Sigma rule (View on GitHub)

 1title: Explorer UAC Bypass Via /NOUACCHECK Parameter
 2description: Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.
 3status: experimental
 4date: 2023/07/16
 5author: \@kostastsale
 6references:
 7    - 
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        CommandLine|contains:
14            - ' /nouaccheck '
15        ParentImage|endswith:
16            - '\explorer.exe'
17        Image|endswith:
18            - '\powershell.exe'
19            - '\pwsh.exe'
20            - '\powershell_ise.exe'
21            - '\cmd.exe'
22    condition: selection1
23falsepositives:
24    - Unlikely
25level: high
26tags:
27    - attack.privilege_escalation
28    - attack.T1548.002

Related rules

to-top