SOAR
Panther
1,713 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,713
high
Moderate
Medium FP
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
id: 81c0b7f5-81c9-435e-a291-bc32fc2b72cd
status: experimental
description: |
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- attack.initial-access
- attack.t1195.002
- detection.emerging-threats
logsource:
category: file_event
product: linux
detection:
selection:
Image|contains: '/python3'
TargetFilename|endswith:
- '/.config/sysmon/sysmon.py'
- '/.config/systemd/user/sysmon.service'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
view Sigma YAML
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitimate temporary access pass
level: high
Convert to SIEM query
high
Strong
Medium FP
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
view Sigma YAML
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
view Sigma YAML
title: Terminal Service Process Spawn
id: 1012f107-b8f1-4271-af30-5aed2de89b39
status: test
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth (Nextron Systems)
date: 2019-05-22
modified: 2023-01-25
tags:
- attack.initial-access
- attack.t1190
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- '\svchost.exe'
- 'termsvcs'
filter_img:
Image|endswith:
- '\rdpclip.exe'
- ':\Windows\System32\csrss.exe'
- ':\Windows\System32\wininit.exe'
- ':\Windows\System32\winlogon.exe'
filter_null:
Image: null
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
view Sigma YAML
title: TerraMaster TOS CVE-2020-28188
id: 15c312b9-00d0-4feb-8870-7d940a4bdc5e
status: test
description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
references:
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
author: Bhabesh Raj
date: 2021-01-25
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- cve.2020-28188
- detection.emerging-threats
logsource:
category: webserver
detection:
base_url:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/include/makecvs.php'
- '?Event='
payload:
cs-uri-query|contains:
- 'curl'
- 'wget'
- '.py'
- '.sh'
- 'chmod'
- '_GET'
condition: base_url and payload
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Time Travel Debugging Utility Usage
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
view Sigma YAML
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high
Strong
High FP
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
view Sigma YAML
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high
Moderate
Medium FP
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
view Sigma YAML
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
condition: selection
falsepositives:
- Investigate if threshold setting in PIM is too low.
level: high
Convert to SIEM query
high
Moderate
High FP
Tor Client/Browser Execution
Detects the use of Tor or Tor-Browser to connect to onion routing networks
view Sigma YAML
title: Tor Client/Browser Execution
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: test
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022-02-20
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Tor Browser'
- Product: 'Tor Browser'
- Image|endswith:
- '\tor.exe'
- '\Tor Browser\Browser\firefox.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml
Convert to SIEM query
high
Moderate
High FP
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
view Sigma YAML
title: Trickbot Malware Activity
id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
related:
- id: c37510b8-2107-4b78-aa32-72f251e7a844
type: similar
status: stable
description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Florian Roth (Nextron Systems)
date: 2020-11-26
modified: 2021-11-27
tags:
- attack.execution
- attack.t1559
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wermgr.exe'
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains: 'DllRegisterServer'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
view Sigma YAML
title: Triple Cross eBPF Rootkit Default LockFile
id: c0239255-822c-4630-b7f1-35362bcb8f44
status: test
description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename: '/tmp/rootlog'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
view Sigma YAML
title: Triple Cross eBPF Rootkit Default Persistence
id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
status: test
description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
references:
- https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: 'ebpfbackdoor'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
view Sigma YAML
title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains: 'execve_hijack'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
view Sigma YAML
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.stealth
- attack.t1014
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
CommandLine|contains:
- ' qdisc '
- ' filter '
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
view Sigma YAML
title: TropicTrooper Campaign November 2018
id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
- https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: '@41thexplorer, Microsoft Defender ATP'
date: 2019-11-12
modified: 2020-08-27
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
condition: selection
level: high
Convert to SIEM query
high
Moderate
Medium FP
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
view Sigma YAML
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
view Sigma YAML
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
- id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
type: similar
status: experimental
description: |
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
- https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.007
- attack.t1548.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains:
- ':\Windows \System32\' # Note the space between "Windows" and "System32"
- ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Low FP
Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
view Sigma YAML
title: Turla Service Install
id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
status: test
description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
author: Florian Roth (Nextron Systems)
date: 2017-03-31
modified: 2021-11-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.g0010
- attack.t1543.003
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName:
- 'srservice'
- 'ipvpn'
- 'hkmsvc'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith:
- '\AppData\Local\Temp\system32\winsat.exe'
- '\AppData\Local\Temp\system32\winmm.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - Process
id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
TargetObject|endswith: '\LowerCaseLongPath'
Details|startswith: 'c:\users\'
Details|endswith: '\appdata\local\temp\system32\winsat.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
view Sigma YAML
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
Image: 'C:\Windows\System32\ComputerDefaults.exe'
filter:
ParentImage|contains:
- ':\Windows\System32'
- ':\Program Files'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
view Sigma YAML
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
view Sigma YAML
title: UAC Bypass Using ChangePK and SLUI
id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
status: test
description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
references:
- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\changepk.exe'
ParentImage|endswith: '\slui.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
view Sigma YAML
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
view Sigma YAML
title: UAC Bypass Using Consent and Comctl32 - Process
id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\werfault.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
view Sigma YAML
title: UAC Bypass Using Disk Cleanup
id: b697e69c-746f-4a86-9f59-7bfff8eab881
status: test
description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
view Sigma YAML
title: UAC Bypass Using DismHost
id: 853e74f9-9392-4935-ad3b-2e8c040dae86
status: test
description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\'
- '\DismHost.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
view Sigma YAML
title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
- id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
- https://twitter.com/orange_8361/status/1518970259868626944
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_path:
# Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
CommandLine|contains:
- '\Event Viewer\RecentViews'
- '\EventV~1\RecentViews'
selection_redirect:
CommandLine|contains: '>'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
view Sigma YAML
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
- https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
- https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Removed the start just in case the logging backend doesn't expand ENV variables when they're used
- '\Microsoft\Event Viewer\RecentViews'
- '\Microsoft\EventV~1\RecentViews'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
view Sigma YAML
title: UAC Bypass Using IDiagnostic Profile
id: 4cbef972-f347-4170-b62a-8253f6168e6d
status: test
description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
modified: 2024-12-01
tags:
- attack.execution
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DllHost.exe'
ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
view Sigma YAML
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
- attack.execution
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\DllHost.exe'
TargetFilename|startswith: 'C:\Windows\System32\'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
view Sigma YAML
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
view Sigma YAML
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\ieinstal.exe'
Image|contains: '\AppData\Local\Temp\'
Image|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
view Sigma YAML
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
- https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: image_load
detection:
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: '\iscsiexe.dll'
filter:
ImageLoaded|contains|all:
- 'C:\Windows\'
- 'iscsiexe.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
view Sigma YAML
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
view Sigma YAML
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
view Sigma YAML
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
view Sigma YAML
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\'
CommandLine|endswith: '\AppData\Local\Temp\update.msu'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
selection2:
ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
IntegrityLevel:
- 'High'
- 'System'
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\'
- '\dismhost.exe {'
Image|endswith: '\DismHost.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
view Sigma YAML
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\pkgmgr.exe'
Image|endswith: '\dism.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
view Sigma YAML
title: UAC Bypass Using WOW64 Logger DLL Hijack
id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
status: test
description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|contains: ':\Windows\SysWOW64\'
GrantedAccess: '0x1fffff'
CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
view Sigma YAML
title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
references:
- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
view Sigma YAML
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
references:
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wsreset.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
view Sigma YAML
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1548.002
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\dism.exe'
ImageLoaded|endswith: '\dismcore.dll'
filter:
ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
condition: selection and not filter
falsepositives:
- Actions of a legitimate telnet client
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
view Sigma YAML
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\mscfile\shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
view Sigma YAML
title: UAC Bypass via ICMLuaUtil
id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
status: test
description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
author: Florian Roth (Nextron Systems), Elastic (idea)
date: 2022-09-13
modified: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dllhost.exe'
ParentCommandLine|contains:
- '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
- '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
filter:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
view Sigma YAML
title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: test
description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
author: Omer Yampel, Christian Burkard (Nextron Systems)
date: 2017-03-17
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: registry_set
product: windows
detection:
selection1:
TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
selection2:
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
Details|re: '-1[0-9]{3}\\Software\\Classes\\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1551-1600 of 1,713