← Library
sigmaDRL-1.1from SigmaHQ/sigma

UAC Bypass Using Iscsicpl - ImageLoad

Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1548.002
Rule sourcerules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
    - https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image: C:\Windows\SysWOW64\iscsicpl.exe
        ImageLoaded|endswith: '\iscsiexe.dll'
    filter:
        ImageLoaded|contains|all:
            - 'C:\Windows\'
            - 'iscsiexe.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high