Techniques
Sample rules
UAC Bypass With Fake DLL
- source: sigma
- technicques:
- t1548
- t1548.002
- t1574
- t1574.002
Description
Attempts to load dismcore.dll after dropping it
Detection logic
condition: selection and not filter
filter:
ImageLoaded: C:\Windows\System32\Dism\dismcore.dll
selection:
ImageLoaded|endswith: \dismcore.dll
Image|endswith: \dism.exe