Detectionhightest

UAC Bypass With Fake DLL

Attempts to load dismcore.dll after dropping it

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

oscd.community, Dmitry UchakinCreated Tue Oct 06Updated Sun Dec 25a5ea83a7-05a5-44c1-be2e-addccbbd8c03windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\dism.exe'
        ImageLoaded|endswith: '\dismcore.dll'
    filter:
        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter

False Positives

Actions of a legitimate telnet client

References

Resolving title…

steemit.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0004 · Privilege Escalation

Sub-techniques

T1548.002 · Bypass User Account Control T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

a5ea83a7-05a5-44c1-be2e-addccbbd8c03

Status

test

Level

high

Type

Detection

Created

Tue Oct 06

Modified

Sun Dec 25

Author

oscd.community, Dmitry Uchakin

Path

rules/windows/image_load/image_load_uac_bypass_via_dism.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1548.002attack.t1574.001

View on GitHub