Bypasses User Account Control using a fileless method
title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\open\command\DelegateExecute'
Details: (Empty)
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using sdclt DelegateExecute
technique: T1548.002
atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7
imRegistry
| where RegistryKey endswith "\\open\\command\\DelegateExecute" and RegistryValueData =~ "(Empty)"DeviceRegistryEvents
| where RegistryKey endswith "\\open\\command\\DelegateExecute" and RegistryValueData =~ "(Empty)"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |