UAC Bypass Attempt Via Msdt.EXE

Rule Info

Name
UAC Bypass Attempt Via Msdt.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects UAC bypass attempt using the Msdt binary and the bluetooth "BluetoothDiagnostic.xml" diagnostic package. The Msdt binary is capable of auto-elevation and the "BluetoothDiagnostic" diagnostic package doesn't requires admin privileges. This allows a user to call Msdt (32bit version) with the bluetooth package, which will automatically start an elevated instance of Msdt and call the "sdiagnhost" binary. This binary will try to load the "BluetoothDiagnosticUtil" DLL, which it will not be able to find. So it defer to loading from any directory in the PATH env variable. An attacker can hijack one of these location to insert a malicious version of this DLL and get it loaded by "sdiagnhost".
Reference
https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
Date
2024-03-13 00:00:00
Modified
None
Id
4e9e64a9-ada0-4bf9-988c-c58bc7d1e65c
Tags
attack.defense_evasion attack.privilege_escalation attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022