35 lines
993 B
YAML
35 lines
993 B
YAML
title: Load Undocumented Autoelevated COM Interface
|
|
author: oscd.community, Dmitry Uchakin
|
|
date: 2020/10/07
|
|
description: COM interface (EditionUpgradeManager) that is not used by standard executables.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 10
|
|
SELECTION_2:
|
|
CallTrace: '*editionupgrademanagerobj.dll*'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- unknown
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- SourceImage
|
|
- TargetImage
|
|
- CallTrace
|
|
id: fb3722e4-1a06-46b6-b772-253e2e7db933
|
|
level: high
|
|
logsource:
|
|
category: process_access
|
|
product: windows
|
|
references:
|
|
- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
|
|
- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
- attack.t1548.002
|
|
yml_filename: sysmon_load_undocumented_autoelevated_com_interface.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
|
|
|