Update sysmon_comhijack_uac_bypass.yml

lukiffer · Sep 27, 2020 · ebe3dce · ebe3dce
1 parent 3f148e6
commit ebe3dce
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml b/rules/windows/registry_event/sysmon_comhijack_uac_bypass.yml
@@ -1,9 +1,14 @@
-title: COM hijack & UAC bypass via Sdclt
+title: com hijack & uac bypass via sdclt
+id: 07743f65-7ec9-404a-a519-913db7118a8d
 status: experimental
 description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
 references:
     - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
     - https://www.exploit-db.com/exploits/47696
+tags:
+    - attack.privilege_escalation
+    - attack.T1546
+    - attack.T1548
 author: Omkar Gudhate
 date: 2020/09/27
 logsource:
@@ -15,11 +20,6 @@ detection:
             - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
             - 'HKCU\Software\Classes\Folder\shell\open\command'
     condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.T1546.015
-    - attack.T1548.002
 falsepositives:
     - unknown
-level: high
+level: high