LoFP / unknown sub processes of wsreset.exe

Techniques

• t1548
• t1548.002

Sample rules

Bypass UAC via WSReset.exe

• source: sigma
• technicques:
  • t1548
  • t1548.002

Description

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Detection logic

condition: selection and not filter
filter:
- Image|endswith: \conhost.exe
- OriginalFileName: CONHOST.EXE
selection:
  ParentImage|endswith: \wsreset.exe