Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Michael Wade First Pass f70549e Jun 14, 2019
3 contributors

Users who have contributed to this file

@thomaspatzke @SherifEldeeb @samsson
24 lines (22 sloc) 623 Bytes
title: UAC Bypass via sdclt
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
falsepositives:
- unknown
level: high
You can’t perform that action at this time.