From 03f86a97c979bf13c09b92a66ba169f71803d9f7 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 17 Aug 2025 18:18:18 +0200 Subject: [PATCH 01/19] iscicpl UAC Bypass --- yml/OSBinaries/Iscsicpl.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 yml/OSBinaries/Iscsicpl.yml diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml new file mode 100644 index 00000000..06689976 --- /dev/null +++ b/yml/OSBinaries/Iscsicpl.yml @@ -0,0 +1,36 @@ +--- +Name: iscsicpl.exe +Description: Microsoft iSCSI Initiator Control Panel tool +Aliases: + - Alias: iscsicpl.exe # PE Original filename +Author: 'Ekkie' +Created: 2025-08-17 +Commands: + - Command: iscsicpl.exe # SysWOW64 binary + Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 + - Command: iscsicpl.exe # System32 binary + Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application + - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml + - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll + - IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc. +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal + - Link: https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC +Acknowledgement: + - Person: hacker.house + - Person: Ekitji + Handle: '@eki_erk' From 992dac6fd72c1a8a116e054abd1655a510a2d57c Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 17 Aug 2025 18:19:57 +0200 Subject: [PATCH 02/19] UAC Bypass --- yml/OSBinaries/Iscsicpl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 06689976..a96f8628 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -3,7 +3,7 @@ Name: iscsicpl.exe Description: Microsoft iSCSI Initiator Control Panel tool Aliases: - Alias: iscsicpl.exe # PE Original filename -Author: 'Ekkie' +Author: 'Ekitji' Created: 2025-08-17 Commands: - Command: iscsicpl.exe # SysWOW64 binary From dc3778e93e3457f9e852730e73f386deade6478d Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 17 Aug 2025 18:24:11 +0200 Subject: [PATCH 03/19] Delete yml/OSBinaries/Iscsicpl.yml fixing linting issues --- yml/OSBinaries/Iscsicpl.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 yml/OSBinaries/Iscsicpl.yml diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml deleted file mode 100644 index a96f8628..00000000 --- a/yml/OSBinaries/Iscsicpl.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -Name: iscsicpl.exe -Description: Microsoft iSCSI Initiator Control Panel tool -Aliases: - - Alias: iscsicpl.exe # PE Original filename -Author: 'Ekitji' -Created: 2025-08-17 -Commands: - - Command: iscsicpl.exe # SysWOW64 binary - Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows 10, Windows 11 - - Command: iscsicpl.exe # System32 binary - Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows 10, Windows 11 -Full_Path: - - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml - - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll - - IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc. -Resources: - - Link: https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal - - Link: https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC -Acknowledgement: - - Person: hacker.house - - Person: Ekitji - Handle: '@eki_erk' From dfdb43ce60add5d8f72150deeb65351ad606b810 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 17 Aug 2025 18:24:30 +0200 Subject: [PATCH 04/19] UAC Bypass fixed linting issues --- yml/OSBinaries/Iscsicpl.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 yml/OSBinaries/Iscsicpl.yml diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml new file mode 100644 index 00000000..70b01b47 --- /dev/null +++ b/yml/OSBinaries/Iscsicpl.yml @@ -0,0 +1,36 @@ +--- +Name: iscsicpl.exe +Description: Microsoft iSCSI Initiator Control Panel tool +Aliases: + - Alias: iscsicpl.exe # PE Original filename +Author: 'Ekitji' +Created: 2025-08-17 +Commands: + - Command: iscsicpl.exe # SysWOW64 binary + Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 + - Command: iscsicpl.exe # System32 binary + Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application + - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml + - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll + - IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc. +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal + - Link: https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC +Acknowledgement: + - Person: hacker.house + - Person: Ekitji + Handle: '@eki_erk' From caee26d2317e10fed384a1f6a7e6119af8ba367c Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 31 Aug 2025 17:07:19 +0100 Subject: [PATCH 05/19] Update Iscsicpl.yml --- yml/OSBinaries/Iscsicpl.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 70b01b47..26edf26e 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -1,25 +1,28 @@ --- Name: iscsicpl.exe Description: Microsoft iSCSI Initiator Control Panel tool -Aliases: - - Alias: iscsicpl.exe # PE Original filename -Author: 'Ekitji' +Author: Ekitji Created: 2025-08-17 Commands: - - Command: iscsicpl.exe # SysWOW64 binary - Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary + Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. + Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - - Command: iscsicpl.exe # System32 binary - Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Tags: + - Execute: DLL + - Command: iscsicpl.exe # SysWOW64/System32 binary + Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Application: GUI Full_Path: - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application From bbb2188a43b52fb39c44c1c632e29075f3af91d8 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 31 Aug 2025 17:07:50 +0100 Subject: [PATCH 06/19] Update Iscsicpl.yml --- yml/OSBinaries/Iscsicpl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 26edf26e..e02b1148 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL - Command: iscsicpl.exe # SysWOW64/System32 binary Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. From 4b40058a2ea9aaa13376e518e842b588467930ea Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:12:01 +0200 Subject: [PATCH 07/19] sending two more.. have researched windows 10/11.. found two more.. and... again... some one has posted about it on internet but not sent to you :( --- yml/OSBinaries/eudcedit.yml | 36 ++++++++++++++++++++++++++++++++++++ yml/OSBinaries/odbcad32.yml | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 yml/OSBinaries/eudcedit.yml create mode 100644 yml/OSBinaries/odbcad32.yml diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml new file mode 100644 index 00000000..4ed3be9e --- /dev/null +++ b/yml/OSBinaries/eudcedit.yml @@ -0,0 +1,36 @@ +Name: eudcedit.exe +Description: Private Character Editor (EUDC) — creates and edits end-user defined characters. +Aliases: + - Alias: EUDCEDIT.EXE # PE Original filename +Author: 'Ekitji' +Created: 2025-09-04 +Commands: + - Command: eudcedit.exe # System32 (64-bit) + Description: Legitimate GUI tool. Can be abused for a UAC bypass by breaking out from the GUI to spawn other processes. + Usecase: Start process --> OK --> File --> Font Links --> Link with Selected Fonts --> Saves As --> start cmd in adress bar. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 + - Command: eudcedit.exe # SysWOW64 (32-bit) + Description: 32-bit variant of the same tool; similar UAC bypass via GUI breakout . + Usecase: Start process --> OK --> File --> Font Links --> Link with Selected Fonts --> Saves As --> start cmd in adress bar. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\syswow64\eudcedit.exe + - Path: c:\windows\system32\eudcedit.exe +Detection: + - IOC: Parent process eudcedit.exe spawning interactive shells (e.g., cmd.exe, powershell.exe) or mmc.exe. + - IOC: eudcedit.exe creating high-integrity child processes from a standard-user context. + - EventID: 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. + - SysmonEvent: 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. +Resources: + - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map + +Acknowledgement: + -Person: rewterz + - Person: Ekitji + Handle: '@eki_erk' diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml new file mode 100644 index 00000000..78491273 --- /dev/null +++ b/yml/OSBinaries/odbcad32.yml @@ -0,0 +1,36 @@ +Name: odbcad32.exe +Description: ODBC Data Source Administrator — manages User/System DSNs and ODBC drivers. +Aliases: + - Alias: odbcad32.exe # PE Original filename +Author: 'Ekitji' +Created: 2025-09-04 +Commands: + - Command: odbcad32.exe # System32 (64-bit) + Description: Legitimate GUI tool. Can be abused for a UAC bypass by breaking out from the GUI to spawn other processes. + Usecase: Manage ODBC data sources; UAC bypass via GUI breakout by starting process --> Tracing --> Browse --> cmd.exe OR Tracing --> Select DLL --> cmd.exe + + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 + - Command: odbcad32.exe # SysWOW64 (32-bit) + Description: 32-bit variant of the same tool; similar UAC bypass via GUI breakout. + Usecase: Manage ODBC data sources; UAC bypass via GUI breakout by starting process --> Tracing --> Browse --> cmd.exe OR Tracing --> Select DLL --> cmd.exe + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\odbcad32.exe + - Path: c:\windows\syswow64\odbcad32.exe +Detection: + - IOC: ParentImage = *\odbcad32.exe spawning interactive shells (cmd.exe, powershell.exe) or unexpected child processes. + - IOC: Elevated or high-integrity child processes with ParentImage = *\odbcad32.exe from a standard-user session. + - EventID: 4688 (Process Creation) with ParentImage = *\odbcad32.exe + - SysmonEvent: 1 (Process Create) with ParentImage = *\odbcad32.exe and suspicious ChildImage. +Resources: + - Link: https://amonitoring.ru/article/uac_bypass_english/ +Acknowledgement: + - Person: amonitoring + - Person: Ekitji + Handle: '@eki_erk' From 2154f8d2329a5cfccbdfd209297db688874ec932 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:16:42 +0200 Subject: [PATCH 08/19] Add files via upload --- yml/OSBinaries/eudcedit.yml | 2 +- yml/OSBinaries/odbcad32.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml index 4ed3be9e..8792f48e 100644 --- a/yml/OSBinaries/eudcedit.yml +++ b/yml/OSBinaries/eudcedit.yml @@ -1,3 +1,4 @@ +--- Name: eudcedit.exe Description: Private Character Editor (EUDC) — creates and edits end-user defined characters. Aliases: @@ -29,7 +30,6 @@ Detection: - SysmonEvent: 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. Resources: - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map - Acknowledgement: -Person: rewterz - Person: Ekitji diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index 78491273..55952df8 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -1,3 +1,4 @@ +--- Name: odbcad32.exe Description: ODBC Data Source Administrator — manages User/System DSNs and ODBC drivers. Aliases: From 8145c397a25792abbf8c480326407ed4b0c7d5f5 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:19:05 +0200 Subject: [PATCH 09/19] Add files via upload --- yml/OSBinaries/eudcedit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml index 8792f48e..d266d7ac 100644 --- a/yml/OSBinaries/eudcedit.yml +++ b/yml/OSBinaries/eudcedit.yml @@ -31,6 +31,6 @@ Detection: Resources: - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map Acknowledgement: - -Person: rewterz + - Person: rewterz - Person: Ekitji Handle: '@eki_erk' From a8ffad6a8cfa7b541831445ea95d4082de6aea83 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Fri, 5 Sep 2025 10:39:00 +0200 Subject: [PATCH 10/19] Add files via upload changed so the event ids is in IOC value.. --- yml/OSBinaries/eudcedit.yml | 4 ++-- yml/OSBinaries/odbcad32.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml index d266d7ac..e816eb59 100644 --- a/yml/OSBinaries/eudcedit.yml +++ b/yml/OSBinaries/eudcedit.yml @@ -26,8 +26,8 @@ Full_Path: Detection: - IOC: Parent process eudcedit.exe spawning interactive shells (e.g., cmd.exe, powershell.exe) or mmc.exe. - IOC: eudcedit.exe creating high-integrity child processes from a standard-user context. - - EventID: 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. - - SysmonEvent: 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. + - IOC: EventID: 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. + - IOC: Sysmon EventID: 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. Resources: - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map Acknowledgement: diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index 55952df8..6b11c9f2 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -27,8 +27,8 @@ Full_Path: Detection: - IOC: ParentImage = *\odbcad32.exe spawning interactive shells (cmd.exe, powershell.exe) or unexpected child processes. - IOC: Elevated or high-integrity child processes with ParentImage = *\odbcad32.exe from a standard-user session. - - EventID: 4688 (Process Creation) with ParentImage = *\odbcad32.exe - - SysmonEvent: 1 (Process Create) with ParentImage = *\odbcad32.exe and suspicious ChildImage. + - IOC: EventID: 4688 (Process Creation) with ParentImage = *\odbcad32.exe + - IOC: Sysmon EventID: 1 (Process Create) with ParentImage = *\odbcad32.exe and suspicious ChildImage. Resources: - Link: https://amonitoring.ru/article/uac_bypass_english/ Acknowledgement: From 670c4f308afa1161f01c5cc2185f095427f9b34a Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Fri, 5 Sep 2025 10:42:57 +0200 Subject: [PATCH 11/19] Add files via upload removed : in IOC --- yml/OSBinaries/eudcedit.yml | 4 ++-- yml/OSBinaries/odbcad32.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml index e816eb59..78a28fe3 100644 --- a/yml/OSBinaries/eudcedit.yml +++ b/yml/OSBinaries/eudcedit.yml @@ -26,8 +26,8 @@ Full_Path: Detection: - IOC: Parent process eudcedit.exe spawning interactive shells (e.g., cmd.exe, powershell.exe) or mmc.exe. - IOC: eudcedit.exe creating high-integrity child processes from a standard-user context. - - IOC: EventID: 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. - - IOC: Sysmon EventID: 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. + - IOC: EventID 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. + - IOC: Sysmon EventID 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. Resources: - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map Acknowledgement: diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index 6b11c9f2..0f310381 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -27,8 +27,8 @@ Full_Path: Detection: - IOC: ParentImage = *\odbcad32.exe spawning interactive shells (cmd.exe, powershell.exe) or unexpected child processes. - IOC: Elevated or high-integrity child processes with ParentImage = *\odbcad32.exe from a standard-user session. - - IOC: EventID: 4688 (Process Creation) with ParentImage = *\odbcad32.exe - - IOC: Sysmon EventID: 1 (Process Create) with ParentImage = *\odbcad32.exe and suspicious ChildImage. + - IOC: EventID 4688 (Process Creation) with ParentImage = *\odbcad32.exe + - IOC: Sysmon EventID 1 (Process Create) with ParentImage = *\odbcad32.exe and suspicious ChildImage. Resources: - Link: https://amonitoring.ru/article/uac_bypass_english/ Acknowledgement: From ff5d4921e3c7d8acd453b88531e6ef5138dab18d Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 21:44:48 +0200 Subject: [PATCH 12/19] Update Iscsicpl.yml --- yml/OSBinaries/Iscsicpl.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 254df066..8645da55 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -4,7 +4,6 @@ Description: Microsoft iSCSI Initiator Control Panel tool Author: Ekitji Created: 2025-08-17 Commands - - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. From d79e9543426acce4385ac3b69b25ed3f834f519b Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 21:46:06 +0200 Subject: [PATCH 13/19] Update Iscsicpl.yml --- yml/OSBinaries/Iscsicpl.yml | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 8645da55..70b01b47 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -1,31 +1,28 @@ --- Name: iscsicpl.exe Description: Microsoft iSCSI Initiator Control Panel tool -Author: Ekitji +Aliases: + - Alias: iscsicpl.exe # PE Original filename +Author: 'Ekitji' Created: 2025-08-17 -Commands - - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary - Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. - Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. +Commands: + - Command: iscsicpl.exe # SysWOW64 binary + Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - Tags: - - Execute: DLL - - Command: iscsicpl.exe # SysWOW64/System32 binary - Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + - Command: iscsicpl.exe # System32 binary + Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd + Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - Tags: - - Execute: CMD - - Application: GUI Full_Path: - - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application + - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application + - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll From 50ccee606c30227280f91999b08a2532a76abd32 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 21:49:43 +0200 Subject: [PATCH 14/19] Update Iscsicpl.yml --- yml/OSBinaries/Iscsicpl.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index 70b01b47..46b8f7d6 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -1,28 +1,31 @@ --- Name: iscsicpl.exe Description: Microsoft iSCSI Initiator Control Panel tool -Aliases: - - Alias: iscsicpl.exe # PE Original filename -Author: 'Ekitji' +Author: Ekitji Created: 2025-08-17 Commands: - - Command: iscsicpl.exe # SysWOW64 binary - Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll. Can also Bypass UAC through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary + Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. + Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - - Command: iscsicpl.exe # System32 binary - Description: c:\windows\system32\iscsicpl.exe has UAC Bypass through launching iscicpl.exe, go to Configuration --> Report --> launch cmd - Usecase: Used legitimately for configuring iSCSI connections but can be leveraged for persistence or UAC bypass if abused. + Tags: + - Execute: DLL + - Command: iscsicpl.exe # SysWOW64/System32 binary + Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Application: GUI Full_Path: - - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application + - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application + - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll From 210641f6cbe029253b5534b90816096d9168c428 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 21:59:09 +0200 Subject: [PATCH 15/19] Delete yml/OSBinaries/eudcedit.yml duplicate entry --- yml/OSBinaries/eudcedit.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 yml/OSBinaries/eudcedit.yml diff --git a/yml/OSBinaries/eudcedit.yml b/yml/OSBinaries/eudcedit.yml deleted file mode 100644 index 78a28fe3..00000000 --- a/yml/OSBinaries/eudcedit.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -Name: eudcedit.exe -Description: Private Character Editor (EUDC) — creates and edits end-user defined characters. -Aliases: - - Alias: EUDCEDIT.EXE # PE Original filename -Author: 'Ekitji' -Created: 2025-09-04 -Commands: - - Command: eudcedit.exe # System32 (64-bit) - Description: Legitimate GUI tool. Can be abused for a UAC bypass by breaking out from the GUI to spawn other processes. - Usecase: Start process --> OK --> File --> Font Links --> Link with Selected Fonts --> Saves As --> start cmd in adress bar. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows 10, Windows 11 - - Command: eudcedit.exe # SysWOW64 (32-bit) - Description: 32-bit variant of the same tool; similar UAC bypass via GUI breakout . - Usecase: Start process --> OK --> File --> Font Links --> Link with Selected Fonts --> Saves As --> start cmd in adress bar. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows 10, Windows 11 -Full_Path: - - Path: c:\windows\syswow64\eudcedit.exe - - Path: c:\windows\system32\eudcedit.exe -Detection: - - IOC: Parent process eudcedit.exe spawning interactive shells (e.g., cmd.exe, powershell.exe) or mmc.exe. - - IOC: eudcedit.exe creating high-integrity child processes from a standard-user context. - - IOC: EventID 4688 with ParentImage = *\eudcedit.exe and suspicious ChildImage. - - IOC: Sysmon EventID 1 (Process Create) with ParentImage = *\eudcedit.exe and suspicious ChildImage. -Resources: - - Link: https://rewterz.com/threat-advisory/windows-uac-bypassed-via-character-map -Acknowledgement: - - Person: rewterz - - Person: Ekitji - Handle: '@eki_erk' From 5de68b3696a6be4d9943575b7ecb755706ebc66e Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 22:01:02 +0200 Subject: [PATCH 16/19] Update odbcad32.yml --- yml/OSBinaries/odbcad32.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index 0f310381..2f253a22 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -9,7 +9,6 @@ Commands: - Command: odbcad32.exe # System32 (64-bit) Description: Legitimate GUI tool. Can be abused for a UAC bypass by breaking out from the GUI to spawn other processes. Usecase: Manage ODBC data sources; UAC bypass via GUI breakout by starting process --> Tracing --> Browse --> cmd.exe OR Tracing --> Select DLL --> cmd.exe - Category: UAC Bypass Privileges: User MitreID: T1548.002 @@ -21,7 +20,6 @@ Commands: Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 -Full_Path: - Path: c:\windows\system32\odbcad32.exe - Path: c:\windows\syswow64\odbcad32.exe Detection: From 87f795f2632adad506c0b1bda6b8cf975a1c431c Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 22:03:59 +0200 Subject: [PATCH 17/19] Update odbcad32.yml --- yml/OSBinaries/odbcad32.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index 2f253a22..b6d8466b 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -20,6 +20,7 @@ Commands: Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 +Full_Path: - Path: c:\windows\system32\odbcad32.exe - Path: c:\windows\syswow64\odbcad32.exe Detection: From 390b85e788899a3dd42c32a80f2c63929608d03a Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 22:07:03 +0200 Subject: [PATCH 18/19] Update odbcad32.yml From c075c0ed46361c5412e89049e3f684b426d305d0 Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Sun, 5 Oct 2025 22:09:39 +0200 Subject: [PATCH 19/19] Update odbcad32.yml --- yml/OSBinaries/odbcad32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/odbcad32.yml b/yml/OSBinaries/odbcad32.yml index b6d8466b..354ac348 100644 --- a/yml/OSBinaries/odbcad32.yml +++ b/yml/OSBinaries/odbcad32.yml @@ -1,6 +1,6 @@ --- Name: odbcad32.exe -Description: ODBC Data Source Administrator — manages User/System DSNs and ODBC drivers. +Description: ODBC Data Source Administrator to manage User/System DSNs and ODBC drivers. Aliases: - Alias: odbcad32.exe # PE Original filename Author: 'Ekitji'