UAC Bypass Attempt Via Msdt.EXE

Rule Info

Name
UAC Bypass Attempt Via Msdt.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects UAC bypass attempt using the Msdt binary and the bluetooth "BluetoothDiagnostic.xml" diagnostic package. The Msdt binary is capable of auto-elevation and the "BluetoothDiagnostic" diagnostic package doesn't requires admin privileges. This allows a user to call Msdt (32bit version) with the bluetooth package, which will automatically start an elevated instance of Msdt and call the "sdiagnhost" binary. This binary will try to load the "BluetoothDiagnosticUtil" DLL, which it will not be able to find. So it defer to loading from any directory in the PATH env variable. An attacker can hijack one of these location to insert a malicious version of this DLL and get it loaded by "sdiagnhost".
Date
2024-03-13 00:00:00
Modified
None
Id
4e9e64a9-ada0-4bf9-988c-c58bc7d1e65c
Tags
attack.defense-evasion attack.privilege-escalation attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History