Detectionhightest
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Omer Yampel, Christian Burkard (Nextron Systems)Created Fri Mar 17Updated Thu Aug 175b872a46-3b90-45c1-8419-f675db8053aawindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection1:
TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
selection2:
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
Details|re: '-1[0-9]{3}\\Software\\Classes\\'
condition: 1 of selection*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
CAR Analytics
2019-04-001 · CAR 2019-04-001
Rule Metadata
Rule ID
5b872a46-3b90-45c1-8419-f675db8053aa
Status
test
Level
high
Type
Detection
Created
Fri Mar 17
Modified
Thu Aug 17
Path
rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1548.002car.2019-04-001