Home/Sigma rules
Sigma

Sigma detection rules

80 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 80
critical
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
status stable author Ecco id 3268b746-88d8-4cd3-bffc-30077d02c787
view Sigma YAML 
title: HackTool - Empire PowerShell UAC Bypass
id: 3268b746-88d8-4cd3-bffc-30077d02c787
status: stable
description: Detects some Empire PowerShell UAC bypass methods
references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019-08-30
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
            - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
status test author Florian Roth (Nextron Systems) id 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
view Sigma YAML 
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
    - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
      type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
    - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
    - https://github.com/netero1010/TrustedPath-UACBypass-BOF
    - https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'C:\Windows \System32\'
            - 'C:\Windows \SysWOW64\'
    condition: selection
falsepositives:
    - Unknown
level: critical
high
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
status test author Semanur Guneysu @semanurtg, oscd.community id d522eca2-2973-4391-a3e0-ef0374321dae
view Sigma YAML 
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020-10-28
modified: 2022-11-11
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\winlogon.exe'
            - '\services.exe'
            - '\lsass.exe'
            - '\csrss.exe'
            - '\smss.exe'
            - '\wininit.exe'
            - '\spoolsv.exe'
            - '\searchindexer.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\cmd.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'Cmd.Exe'
    filter:
        CommandLine|contains|all:
            - ' route '
            - ' ADD '
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high
high
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
status test author frack113 id 46dd5308-4572-4d12-aa43-8938f0184d4f
view Sigma YAML 
title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\open\command\DelegateExecute'
        Details: (Empty)
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using sdclt DelegateExecute
      technique: T1548.002
      atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7
high
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
status test author frack113, Nextron Systems id 724ea201-6514-4f38-9739-e5973c34f49a
view Sigma YAML 
title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
    Detects the setting of the environement variable "windir" to a non default value.
    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Environment\windir'
    filter_main_default:
        Details: '%SystemRoot%'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using SilentCleanup Task
      technique: T1548.002
      atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
high
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id e66779cc-383e-4224-a3a4-267eeb585c40
view Sigma YAML 
title: Bypass UAC via CMSTP
id: e66779cc-383e-4224-a3a4-267eeb585c40
status: test
description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
    - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-08-30
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmstp.exe'
        - OriginalFileName: 'CMSTP.EXE'
    selection_cli:
        CommandLine|contains:
            - '/s'
            - '-s'
            - '/au'
            - '-au'
            - '/ni'
            - '-ni'
    condition: all of selection*
falsepositives:
    - Legitimate use of cmstp.exe utility by legitimate user
level: high
high
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community id 7f741dcf-fc22-4759-87b4-9ae8376676a2
view Sigma YAML 
title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
status: test
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\fodhelper.exe'
    condition: selection
falsepositives:
    - Legitimate use of fodhelper.exe utility by legitimate user
level: high
high
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth id d797268e-28a9-49a7-b9a8-2f5039011c5c
view Sigma YAML 
title: Bypass UAC via WSReset.exe
id: d797268e-28a9-49a7-b9a8-2f5039011c5c
related:
    - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
      type: obsolete
status: test
description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
    - https://www.activecyber.us/activelabs/windows-uac-bypass
    - https://twitter.com/ReaQta/status/1222548288731217921
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
date: 2019-10-24
modified: 2022-05-13
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wsreset.exe'
    filter:
        - Image|endswith: '\conhost.exe'
        - OriginalFileName: 'CONHOST.EXE'
    condition: selection and not filter
falsepositives:
    - Unknown sub processes of Wsreset.exe
level: high
high
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
status stable author Nik Seetharaman, Christian Burkard (Nextron Systems) id 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
view Sigma YAML 
title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
    - https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains:
            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
high
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
status test author Omkar Gudhate id 07743f65-7ec9-404a-a519-913db7118a8d
view Sigma YAML 
title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
    - https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546
    - attack.t1548
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
status test author Florent Labouyrie id 174afcfa-6e40-4ae9-af64-496546389294
view Sigma YAML 
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
    - Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\svchost.exe'
        GrantedAccess: '0x143a'
    filter_main_known_processes:
        SourceImage|endswith:
            - '\services.exe'
            - '\msiexec.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
status test author Florian Roth (Nextron Systems) id 534f2ef7-e8a2-4433-816d-c91bccde289b
view Sigma YAML 
title: Explorer NOUACCHECK Flag
id: 534f2ef7-e8a2-4433-816d-c91bccde289b
status: test
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
references:
    - https://twitter.com/ORCA6665/status/1496478087244095491
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '/NOUACCHECK'
    filter_dc_logon:
        - ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
        - ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
    condition: selection and not 1 of filter_*
falsepositives:
    - Domain Controller User Logon
    - Unknown how many legitimate software products use that method
level: high
high
HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
status test author Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) id d38d2fa4-98e6-4a24-aff1-410b0c9ad177
view Sigma YAML 
title: HackTool - UACMe Akagi Execution
id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
status: test
description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2021-08-30
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Product: 'UACMe'
        - Company:
              - 'REvol Corp'
              - 'APT 92'
              - 'UG North'
              - 'Hazardous Environments'
              - 'CD Project Rekt'
        - Description:
              - 'UACMe main module'
              - 'Pentesting utility'
        - OriginalFileName:
              - 'Akagi.exe'
              - 'Akagi64.exe'
    selection_img:
        Image|endswith:
            - '\Akagi64.exe'
            - '\Akagi.exe'
    selection_hashes_sysmon:
        Hashes|contains:
            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
high
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id d557dc06-62e8-4468-a8e8-7984124908ce
view Sigma YAML 
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id 851fd622-b675-4d26-b803-14bc7baa517a
view Sigma YAML 
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
high
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
status test author Elastic, @SBousseaden id 749c9f5e-b353-4b90-a9c1-05243357ca4b
view Sigma YAML 
title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
status: test
description: |
    Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
    This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
references:
    - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
    - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
author: Elastic, @SBousseaden
date: 2022-04-27
modified: 2024-08-13
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1548
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        AuthenticationPackageName: 'Kerberos'
        IpAddress: '127.0.0.1'
        TargetUserSid|startswith: 'S-1-5-21-'
        TargetUserSid|endswith: '-500'
    filter_main_ip_null:
        IpPort: '0'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
status test author Florian Roth (Nextron Systems) id be344333-921d-4c4d-8bb8-e584cf584780
view Sigma YAML 
title: Potentially Suspicious Event Viewer Child Process
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
    - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
      type: derived
status: test
description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\eventvwr.exe'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\System32\WerFault.exe'
            - ':\Windows\SysWOW64\WerFault.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
status test author Michael Haag id 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
view Sigma YAML 
title: PowerShell Web Access Feature Enabled Via DISM
id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
status: test
description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
references:
    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
author: Michael Haag
date: 2024-09-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dism.exe'
        - OriginalFileName: 'DISM.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'WindowsPowerShellWebAccess'
            - '/online'
            - '/enable-feature'
    condition: all of selection_*
falsepositives:
    - Legitimate PowerShell Web Access installations by administrators
level: high
high
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
status test author Florian Roth (Nextron Systems) id 883835a7-df45-43e4-bf1d-4268768afda4
view Sigma YAML 
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        ParentImage|endswith:
            - '\TrustedInstaller.exe'
            - '\ProcessHacker.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
status test author Christian Burkard (Nextron Systems) id 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
view Sigma YAML 
title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
related:
    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
      type: similar
status: test
description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
    - https://github.com/hfiref0x/UACME
    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
    - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
    - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-01-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        EventType: SetValue
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
        Details|contains: '\Software\Classes\{'
    selection2:
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
    selection3:
        EventType: SetValue
        TargetObject|endswith:
            - 'Classes\ms-settings\shell\open\command\(Default)'
            - 'Classes\exefile\shell\open\command\(Default)'
    filter_sel3:
        Details: '(Empty)'
    condition: selection1 or selection2 or (selection3 and not filter_sel3)
falsepositives:
    - Unknown
level: high
high
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 0cbe38c0-270c-41d9-ab79-6e5a9a669290
view Sigma YAML 
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
    - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
      type: similar
status: experimental
description: |
    Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
    This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
    - https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.007
    - attack.t1548.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains:
            - ':\Windows \System32\'  # Note the space between "Windows" and "System32"
            - ':\Windows \SysWOW64\'  # Note the space between "Windows" and "SysWOW64"
    condition: selection
falsepositives:
    - Unlikely
level: high
high
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) id 155dbf56-e0a4-4dd0-8905-8a98705045e8
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith:
            - '\AppData\Local\Temp\system32\winsat.exe'
            - '\AppData\Local\Temp\system32\winmm.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) id 7a01183d-71a2-46ad-ad5c-acd989ac1793
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - Process
id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
        ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) id 6597be7b-ac61-4ac8-bef4-d3ec88174853
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
        TargetObject|endswith: '\LowerCaseLongPath'
        Details|startswith: 'c:\users\'
        Details|endswith: '\appdata\local\temp\system32\winsat.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
status test author Christian Burkard (Nextron Systems) id 3c05e90d-7eba-4324-9972-5d7f711a60a8
view Sigma YAML 
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        Image: 'C:\Windows\System32\ComputerDefaults.exe'
    filter:
        ParentImage|contains:
            - ':\Windows\System32'
            - ':\Program Files'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
status test author Christian Burkard (Nextron Systems) id 93a19907-d4f9-4deb-9f91-aac4692776a6
view Sigma YAML 
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
status test author Christian Burkard (Nextron Systems) id 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
view Sigma YAML 
title: UAC Bypass Using ChangePK and SLUI
id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
status: test
description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
references:
    - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
    - https://github.com/hfiref0x/UACME
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\changepk.exe'
        ParentImage|endswith: '\slui.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
status test author Christian Burkard (Nextron Systems) id 62ed5b55-f991-406a-85d9-e8e8fdf18789
view Sigma YAML 
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
        TargetFilename|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
status test author Christian Burkard (Nextron Systems) id 1ca6bd18-0ba0-44ca-851c-92ed89a61085
view Sigma YAML 
title: UAC Bypass Using Consent and Comctl32 - Process
id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\consent.exe'
        Image|endswith: '\werfault.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
status test author Christian Burkard (Nextron Systems) id b697e69c-746f-4a86-9f59-7bfff8eab881
view Sigma YAML 
title: UAC Bypass Using Disk Cleanup
id: b697e69c-746f-4a86-9f59-7bfff8eab881
status: test
description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
        ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
status test author Christian Burkard (Nextron Systems) id 853e74f9-9392-4935-ad3b-2e8c040dae86
view Sigma YAML 
title: UAC Bypass Using DismHost
id: 853e74f9-9392-4935-ad3b-2e8c040dae86
status: test
description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Temp\'
            - '\DismHost.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) id 4cbef972-f347-4170-b62a-8253f6168e6d
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile
id: 4cbef972-f347-4170-b62a-8253f6168e6d
status: test
description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) id 48ea844d-19b1-4642-944e-fe39c2cc1fec
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\DllHost.exe'
        TargetFilename|startswith: 'C:\Windows\System32\'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) id bdd8157d-8e85-4397-bb82-f06cc9c71dbb
view Sigma YAML 
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) id 80fc36aa-945e-4181-89f2-2f907ab6775d
view Sigma YAML 
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\ieinstal.exe'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
status test author Nasreddine Bencherchali (Nextron Systems) id 9ed5959a-c43c-4c59-84e3-d28628429456
view Sigma YAML 
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
    - https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image: C:\Windows\SysWOW64\iscsicpl.exe
        ImageLoaded|endswith: '\iscsiexe.dll'
    filter:
        ImageLoaded|contains|all:
            - 'C:\Windows\'
            - 'iscsiexe.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) id 41bb431f-56d8-4691-bb56-ed34e390906f
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) id ad92e3f9-7eb6-460e-96b1-582b0ccbb980
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
        CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) id 7fff6773-2baa-46de-a24a-b6eec1aba2d1
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) id 39ed3c80-e6a1-431b-9df3-911ac53d08a7
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|startswith: '"C:\Windows\system32\wusa.exe"  /quiet C:\Users\'
        CommandLine|endswith: '\AppData\Local\Temp\update.msu'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    selection2:
        ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
        IntegrityLevel:
            - 'High'
            - 'System'
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Temp\'
            - '\dismhost.exe {'
        Image|endswith: '\DismHost.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
status test author Christian Burkard (Nextron Systems) id a743ceba-c771-4d75-97eb-8a90f7f4844c
view Sigma YAML 
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\pkgmgr.exe'
        Image|endswith: '\dism.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
status test author Christian Burkard (Nextron Systems) id 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
view Sigma YAML 
title: UAC Bypass Using WOW64 Logger DLL Hijack
id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
status: test
description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|contains: ':\Windows\SysWOW64\'
        GrantedAccess: '0x1fffff'
        CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) id 68578b43-65df-4f81-9a9b-92f32711a951
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection1:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
    selection2:
        Image: 'C:\Windows\system32\DllHost.exe'
        TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) id 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_1:
        Image: 'C:\Program Files\Windows Media Player\osk.exe'
    selection_img_2:
        Image: 'C:\Windows\System32\cmd.exe'
        ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
    selection_integrity:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: 1 of selection_img_* and selection_integrity
falsepositives:
    - Unknown
level: high
high
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) id 5f9db380-ea57-4d1e-beab-8a2d33397e93
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
        Details: 'Binary Data'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
status test author oscd.community, Dmitry Uchakin id 6ea3bf32-9680-422d-9f50-e90716b12a66
view Sigma YAML 
title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
references:
    - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
status test author Christian Burkard (Nextron Systems) id 89a9a0e0-f61a-42e5-8957-b1479565a658
view Sigma YAML 
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
    - https://github.com/hfiref0x/UACME
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wsreset.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
status test author oscd.community, Dmitry Uchakin id a5ea83a7-05a5-44c1-be2e-addccbbd8c03
view Sigma YAML 
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
    - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1548.002
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\dism.exe'
        ImageLoaded|endswith: '\dismcore.dll'
    filter:
        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter
falsepositives:
    - Actions of a legitimate telnet client
level: high
high
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
status test author Florian Roth (Nextron Systems) id 7c81fec3-1c1d-43b0-996a-46753041b1b6
view Sigma YAML 
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\mscfile\shell\open\command'
    condition: selection
falsepositives:
    - Unknown
level: high
high
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
status test author Florian Roth (Nextron Systems), Elastic (idea) id 49f2f17b-b4c8-4172-a68b-d5bf95d05130
view Sigma YAML 
title: UAC Bypass via ICMLuaUtil
id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
status: test
description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
references:
    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
author: Florian Roth (Nextron Systems), Elastic (idea)
date: 2022-09-13
modified: 2022-09-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dllhost.exe'
        ParentCommandLine|contains:
            - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
            - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
    filter:
        - Image|endswith: '\WerFault.exe'
        - OriginalFileName: 'WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Showing 1-50 of 80
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin