detection.wiki

Detection rules › Sigma

UAC Bypass Using IDiagnostic Profile

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the "IDiagnosticProfileUAC" UAC bypass technique

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

IntegrityLevel: [High, S-1-16-12288, S-1-16-16384, System]
ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
ParentImage|endswith: '\DllHost.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
IntegrityLeveleq
  • High corpus 16 (sigma 16)
  • S-1-16-12288 corpus 16 (sigma 16)
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
ParentCommandLinematch
  • /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}
ParentImageends_with
  • \DllHost.exe corpus 2 (sigma 2)