sigmamediumHunting

Function Call From Undocumented COM Interface EditionUpgradeManager

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

MITRE ATT&CK

T1548.002

defense-evasionprivilege-escalation

Detection Query

selection:
  CallTrace|contains: editionupgrademanagerobj.dll
condition: selection

Author

oscd.community, Dmitry Uchakin

Created

2020-10-07

Data Sources

windowsProcess Access Events

Platforms

windows

References

Tags

attack.defense-evasionattack.privilege-escalationattack.t1548.002

Raw Content

title: Function Call From Undocumented COM Interface EditionUpgradeManager
id: fb3722e4-1a06-46b6-b772-253e2e7db933
status: test
description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
references:
    - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
    - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2023-11-30
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|contains: 'editionupgrademanagerobj.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium