UAC Bypass via Sdclt

Severity: high
Author: Omer Yampel, Christian Burkard (Nextron Systems)
Source: upstream

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1548.002` Abuse Elevation Control Mechanism: Bypass User Account Control
Defense Evasion	`T1548.002` Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection1`

TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'

Stage 2: `1 of selection2`

Details|re: '-1[0-9]{3}\\Software\\Classes\\'
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	regex_match	`-1[0-9]{3}\\Software\\Classes\\`
`TargetObject`	ends_with	`Software\Classes\Folder\shell\open\command\SymbolicLinkValue` `Software\Classes\exefile\shell\runas\command\isolatedCommand`