If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Registry_event_bypass_uac_using_eventviewer.ymlĭetails : ' %SystemRoot%\system32\mmc.exe "%1" %*'ĭescription : During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. ParentCommandLine : ' "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' Proc_creation_win_sysmon_uac_bypass_eventvwr.yml Proc_creation_win_susp_taskmgr_parent.yml Proc_creation_win_mmc20_lateral_movement.ymlĭescription : Detects MMC20.Application Lateral Movement specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
Proc_creation_win_impacket_lateralization.yml Pipe_created_susp_adfs_namedpipe_connection.yml NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) Sourceįile_event_win_uac_bypass_dotnet_profiler.ymlĭescription : Detects the pattern of UAC Bypass using. While mmc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of mmc.exe being misused.
Legal Copyright: Microsoft Corporation.Product Name: Microsoft Windows Operating System.Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
0 kommentar(er)
