detection.wiki

Detection rules › Sigma

UAC Bypass Using WOW64 Logger DLL Hijack

Severity
high
Author
Christian Burkard (Nextron Systems)
Source
upstream

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: selection

CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
GrantedAccess: 0x1fffff
SourceImage|contains: ':\Windows\SysWOW64\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CallTracestarts_with
  • UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|
GrantedAccesseq
  • 0x1fffff corpus 3 (sigma 2, splunk 1)
SourceImagematch
  • :\Windows\SysWOW64\ corpus 7 (sigma 7)