bypass UAC via AppInfo ALPC

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: bypass UAC via AppInfo ALPC
    namespace: host-interaction/uac/bypass
    authors:
      - richard.cole@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002]
    references:
      - https://github.com/hfiref0x/UACME/blob/0a4d2bd67f4872c595f0217ef6ebdcf135186945/Source/Akagi/methods/tyranid.c#L597
    examples:
      - 2f43138aa75fb12ac482b486cbc98569:0x180002304
  features:
    - and:
      - string: "winver.exe"
      - string: "WinSta0\\Default"
      - string: "taskmgr.exe"
      - api: WaitForDebugEvent
      - api: ContinueDebugEvent
      - api: TerminateProcess

last edited: 2023-11-24 10:34:28