Techniques
Sample rules
Explorer NOUACCHECK Flag
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Detection logic
condition: selection and not 1 of filter_*
filter_dc_logon:
- ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
- ParentImage: C:\Windows\System32\svchost.exe
selection:
CommandLine|contains: /NOUACCHECK
Image|endswith: \explorer.exe