← Back to Explore
sigmahighHunting
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Detection Query
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: \iscsiexe.dll
filter:
ImageLoaded|contains|all:
- C:\Windows\
- iscsiexe.dll
condition: selection and not filter
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-07-17
Data Sources
windowsImage Load Events
Platforms
windows
References
Tags
attack.defense-evasionattack.privilege-escalationattack.t1548.002
Raw Content
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
- https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: image_load
detection:
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: '\iscsiexe.dll'
filter:
ImageLoaded|contains|all:
- 'C:\Windows\'
- 'iscsiexe.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high