Detects T1548 elevation control abuse including UAC bypass on Windows, sudo exploitation, and setuid/setgid on Linux by monitoring registry changes, process elevations, and anomalous parent-child relations. Provides Splunk, KQL, Sigma queries.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 狩猎 Windows 环境中通过 UAC 绕过进行权限提升时
Detects T1548 privilege escalation via UAC bypass, sudo exploitation, setuid abuse by monitoring Sysmon events, registry changes, process elevations, and parent-child relations in Windows/Linux.
Detects abuse of elevation control mechanisms like UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse on Windows/Linux. Useful for threat hunting with EDR/SIEM like CrowdStrike, Splunk, Sysmon.
Share bugs, ideas, or general feedback.
HKCU\Software\Classes\ms-settings\shell\open\command 或 HKCU\Software\Classes\mscfile\shell\open\command 下的注册表键。追踪这些更改的 Sysmon 事件 12/13。| 概念 | 描述 |
|---|---|
| T1548.002 | 绕过用户账户控制(UAC Bypass) |
| T1548.001 | Setuid 和 Setgid(Linux) |
| T1548.003 | Sudo 和 Sudo 缓存 |
| T1548.004 | 带提示的提升执行(macOS) |
| UAC 自动提升 | 无需提示即可提升的 Windows 二进制文件 |
| fodhelper.exe | 通过注册表劫持进行 UAC 绕过的常见向量 |
| eventvwr.exe | MSC 文件处理程序 UAC 绕过 |
| 完整性级别 | Windows 进程信任级别(低/中/高/System) |
index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image
index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName
title: UAC Bypass via Registry Modification
status: stable
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\ms-settings\shell\open\command'
- '\mscfile\shell\open\command'
- '\exefile\shell\open\command'
condition: selection
level: high
tags:
- attack.privilege_escalation
- attack.t1548.002
HKCU\Software\Classes\ms-settings\shell\open\command 设置为恶意可执行文件,然后启动 fodhelper.exe,后者自动提升并执行被劫持的命令。HKCU\Software\Classes\mscfile\shell\open\command 以拦截事件查看器的自动提升行为。/s /ni 标志绕过 UAC。Hunt ID: TH-UAC-[DATE]-[SEQ]
Host: [主机名]
Bypass Method: [注册表劫持/DLL 劫持/令牌操纵]
Auto-Elevate Binary: [fodhelper.exe/eventvwr.exe 等]
Registry Key Modified: [完整注册表路径]
Payload Executed: [命令或二进制路径]
User Context: [账户]
Risk Level: [Critical/High/Medium]
ATT&CK Technique: [T1548.00x]