From d3bd73aefbcb5a862536e1a87c41f3a3ae2d903e Mon Sep 17 00:00:00 2001
From: Omer Yampel <omeryampel@gmail.com>
Date: Fri, 17 Mar 2017 14:31:26 -0400
Subject: [PATCH] Create sysmon_sdclt_uac_bypass.yml

UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
---
 .../windows/sysmon/sysmon_sdclt_uac_bypass.yml  | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_sdclt_uac_bypass.yml

diff --git a/rules/windows/sysmon/sysmon_sdclt_uac_bypass.yml b/rules/windows/sysmon/sysmon_sdclt_uac_bypass.yml
new file mode 100644
index 000000000..5894a2f64
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_sdclt_uac_bypass.yml
@@ -0,0 +1,17 @@
+title: SDCLT UAC Bypass detection 
+status: experimental
+description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
+reference: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
+author: Omer Yampel
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selector:
+        EventID: 13 
+    TargetObject:
+        - 'HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand'
+    condition: selection
+falsepositives:
+    - unknown
+level: high