Uac Bypass Mmc Load Unsigned DLL

Uac Bypass Mmc Load Unsigned DLL

Description

This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path

   Help

Uac Bypass Mmc Load Unsigned DLL Help

To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search