Explorer UAC Bypass Via /NOUACCHECK Parameter

calendar Aug 10, 2024 · attack.privilege_escalation attack.T1548.002  ·
Share on: linkedin copy

Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.

Sigma rule (View on GitHub)

 1title: Explorer UAC Bypass Via /NOUACCHECK Parameter
 2id: c284e98e-a2a6-4917-aeb9-7159c6283e05
 3description: Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.
 4status: experimental
 5date: 2023/07/16
 6author: \@kostastsale
 7references:
 8    - 
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        CommandLine|contains:
15            - ' /nouaccheck '
16        ParentImage|endswith:
17            - '\explorer.exe'
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21            - '\powershell_ise.exe'
22            - '\cmd.exe'
23    condition: selection1
24falsepositives:
25    - Unlikely
26level: high
27tags:
28    - attack.privilege_escalation
29    - attack.T1548.002

Related rules

to-top