Detectionhightest
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun Jul 17Updated Mon Jul 259ed5959a-c43c-4c59-84e3-d28628429456windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: '\iscsiexe.dll'
filter:
ImageLoaded|contains|all:
- 'C:\Windows\'
- 'iscsiexe.dll'
condition: selection and not filterFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
9ed5959a-c43c-4c59-84e3-d28628429456
Status
test
Level
high
Type
Detection
Created
Sun Jul 17
Modified
Mon Jul 25
Path
rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1548.002