domain controller user logon

t1548
t1548.002
windows
sigma

Techniques

t1548
t1548.002

Sample rules

Explorer NOUACCHECK Flag

source: sigma
technicques:
- t1548
- t1548.002

Description

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Detection logic

condition: selection and not 1 of filter_*
filter_dc_logon:
- ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
- ParentImage: C:\Windows\System32\svchost.exe
selection:
  CommandLine|contains: /NOUACCHECK
  Image|endswith: \explorer.exe