security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fefb8564717d69af72ededb4172bc7ec00aac734
blue-team-tools/rules/windows/process_creation/win_susp_uac_bypass_trustedpath.yml
T
Florian Roth f78225c394 rule: UAC bypass by mocking dirs
2021-08-27 18:12:21 +02:00

24 lines
719 B
YAML
Raw Blame History

title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
status: experimental
description: Detects indicators of a UAC bypass method by mocking directories
references:
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://github.com/netero1010/TrustedPath-UACBypass-BOF
author: Florian Roth
date: 2021/08/27
tags:
- attack.defense_evasion
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: 'C:\Windows \System32\'
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink