Explorer UAC Bypass Via /NOUACCHECK Parameter
Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.
Sigma rule (View on GitHub)
1title: Explorer UAC Bypass Via /NOUACCHECK Parameter
2description: Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.
3status: experimental
4date: 2023/07/16
5author: \@kostastsale
6references:
7 -
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 CommandLine|contains:
14 - ' /nouaccheck '
15 ParentImage|endswith:
16 - '\explorer.exe'
17 Image|endswith:
18 - '\powershell.exe'
19 - '\pwsh.exe'
20 - '\powershell_ise.exe'
21 - '\cmd.exe'
22 condition: selection1
23falsepositives:
24 - Unlikely
25level: high
26tags:
27 - attack.privilege_escalation
28 - attack.T1548.002
Related rules
- UAC Bypass Via Wsreset
- APT PRIVATELOG Image Load Pattern
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- Moriya Rootkit File Created