New detection - T1548.002 Abuse Elevation Control Mechanism: Bypass User Access Control - Githubissues

ION28 / BLUESPAWN

An Active Defense and EDR software to empower Blue Teams

GNU General Public License v3.0

1.22k stars 169 forks source link

New detection - T1548.002 Abuse Elevation Control Mechanism: Bypass User Access Control #376

Closed 0xhido closed 3 years ago

0xhido commented 3 years ago

References: https://attack.mitre.org/techniques/T1548/

I've wrought 3 scope for detections base on the articles: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/