← Back to Explore
sigmahighHunting
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
Detection Query
selection:
TargetFilename|startswith: C:\Users\
TargetFilename|endswith: \AppData\Local\Temp\pe386.dll
condition: selection
Author
Christian Burkard (Nextron Systems)
Created
2021-08-30
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasionattack.privilege-escalationattack.t1548.002
Raw Content
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
condition: selection
falsepositives:
- Unknown
level: high