UAC Bypass Attempt via MSDT

Rule Info

Name
UAC Bypass Attempt via MSDT
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the UAC Bypass Attempt via msdt.exe. MSDT stands for the Microsoft Support Diagnostic Tool, a built-in Windows utility used for troubleshooting and diagnosing system issues. Adversary may abuse DLL hijacking vulnerability in BluetoothDiagnosticUtil.dll (Bluetooth diagnostic package) which is loaded by auto-elevated msdt.exe without UAC prompt.
Reference
https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
Date
2025-03-31 00:00:00
Modified
None
Id
1abc8a58-a09a-4dfc-bef7-a5e48d77e773
Tags
attack.privilege-escalation attack.defense-evasion attack.t1548.002 attack.t1547.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022