title: COM Hijack via Sdclt
author: Omkar Gudhate
date: 2020/09/27
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
detection:
  SELECTION_1:
    EventID: 12
  SELECTION_2:
    EventID: 13
  SELECTION_3:
    EventID: 14
  SELECTION_4:
    TargetObject:
    - HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute
  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- unknown
id: 07743f65-7ec9-404a-a519-913db7118a8d
level: high
logsource:
  category: registry_event
  product: windows
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546
- attack.t1548
ruletype: SIGMA