UAC Bypass via Mscfile Registry Key Modification

Rule Info

Name
UAC Bypass via Mscfile Registry Key Modification
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to modify the registry key HKCU\Software\Classes\mscfile\shell\open\command to point to a malicious binary (e.g., c:\Users\AppData\Local\Temp\Malware.exe) for potential exploitation. This could be indicative of adversaries attempting to replace mmc.exe with a malicious binary for privilege escalation without triggering a UAC prompt. Executing any kind of .msc file will then execute the malicious binary with elevated privileges.
Reference
https://www.atomicredteam.io/atomic-red-team/atomics/T1053.005#atomic-test-12---scheduled-task-persistence-via-eventviewermsc
Date
2025-03-07 00:00:00
Modified
None
Id
a3e77c28-15b0-4f54-9a04-ac061b0aea00
Tags
attack.privilege-escalation attack.defense-evasion attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022