Execution via Serviceui.exe

Rule Info

Name
Execution via Serviceui.exe
Author
MalGamy (Nextron Systems)
Description
Detects potential abuse of ServiceUI.exe for privilege escalation using specific flags that allow running applications in a system context within a user session.
Reference
https://secureyourit.co.uk/wp/2024/11/02/living-off-the-land/
Date
2024-11-06 00:00:00
Modified
None
Id
d9119a67-c80b-469c-a0ca-c7bc5f33a4d4
Tags
attack.privilege-escalation attack.execution attack.t1134 attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022