Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

56 rules found for "attack.T1548.002"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumexperimental

Suspicious Shell Open Command Registry Modification

Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · PersistenceT1548.002 · Bypass User Account Control+1
Swachchhanda Shrawan Poudel (Nextron Systems)Sat Jan 24windows
Detectionhightest

UAC Bypass via Event Viewer

Detects UAC bypass method using Windows event viewer

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control2019-04-001 · CAR 2019-04-001
Florian Roth (Nextron Systems)Sun Mar 19windows
Detectionhightest

UAC Bypass via Sdclt

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control2019-04-001 · CAR 2019-04-001
Omer Yampel+1Fri Mar 17windows
Detectionhightest

UAC Bypass Abusing Winsat Path Parsing - Registry

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
Christian Burkard (Nextron Systems)Mon Aug 30windows
Detectionhightest

UAC Bypass Using Windows Media Player - Registry

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
Christian Burkard (Nextron Systems)Mon Aug 23windows
Detectionmediumstable

UAC Disabled

Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François HubautWed Jan 05windows
Detectionmediumtest

UAC Notification Disabled

Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François Hubaut+1Fri May 10windows
Detectionmediumtest

UAC Secure Desktop Prompt Disabled

Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François HubautFri May 10windows
12