Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-09 09:27:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4d6ac236bc25e4c6ee84460064c5b8cfe3bbe94f
keyboardcrunch-sentinelone-…/queries/windows/bypass_user_access_control.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

18 lines
676 B
YAML
Raw Blame History

title: T1548.002 Bypass User Access Control
description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Defense Evasion, Privilege Escalation
technique: T1548
subtechnique: 008
operating_system: windows
query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
false_positives:
tags:
Reference in New Issue View Git Blame Copy Permalink