/
sdclt_uac_bypass.yml
88 lines (88 loc) · 3.98 KB
/
sdclt_uac_bypass.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Sdclt UAC Bypass
id: d71efbf6-da63-11eb-8c6e-acde48001122
version: 3
date: '2022-11-14'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
description: This search is to detect a suspicious sdclt.exe registry modification.
This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe
application by modifying some registry that sdclt.exe tries to open or query with
payload file path on it to be executed.
data_source:
- Sysmon EventID 1
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`
| join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE ((Registry.registry_path= "*\\Windows\\CurrentVersion\\App Paths\\control.exe*"
OR Registry.registry_path= "*\\exefile\\shell\\runas\\command\\*") (Registry.registry_value_name
= "(Default)" OR Registry.registry_value_name = "IsolatedCommand")) BY _time span=1h
Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime
dest user parent_process_name parent_process process_name process_path process registry_key_name
registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Limited to no false positives are expected.
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
- https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Registry Abuse
asset_type: Endpoint
confidence: 90
impact: 70
message: Suspicious modification of registry $registry_path$ with possible payload
path $registry_value_name$ in $dest$
mitre_attack_id:
- T1548.002
- T1548
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.user
- Processes.dest
- Processes.process_id
- Processes.process_name
- Processes.process
- Processes.process_path
- Processes.parent_process_name
- Processes.parent_process
- Processes.process_guid
- Registry.dest
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.registry_path
- Registry.registry_value_data
- Registry.process_guid
risk_score: 63
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog