Detectionhightest

Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jan 05Updated Thu Aug 1746dd5308-4572-4d12-aa43-8938f0184d4fwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\open\command\DelegateExecute'
        Details: (Empty)
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

learn.microsoft.com

Resolving title…

devblogs.microsoft.com

Resolving title…

github.com

Testing & Validation

Simulations

atomic-red-teamT1548.002

View on ART

Bypass UAC using sdclt DelegateExecute

GUID: 3be891eb-4608-4173-87e8-78b494c029b7

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion

Sub-techniques

T1548.002 · Bypass User Account Control

Rule Metadata

Rule ID

46dd5308-4572-4d12-aa43-8938f0184d4f

Status

test

Level

high

Type

Detection

Created

Wed Jan 05

Modified

Thu Aug 17

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.t1548.002

View on GitHub