Detectionmediumtest

Potential UAC Bypass Via Sdclt.EXE

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Sun Dec 0140f9af16-589d-4984-b78d-8c2aec023197windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: 'sdclt.exe'
        IntegrityLevel:
            - 'High'
            - 'S-1-16-12288' # High
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion

Sub-techniques

T1548.002 · Bypass User Account Control

Rule Metadata

Rule ID

40f9af16-589d-4984-b78d-8c2aec023197

Status

test

Level

medium

Type

Detection

Created

Sat May 02

Modified

Sun Dec 01

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.t1548.002

View on GitHub