From 1a786d20ea7d7732b06912513589d4c0cf8d75a9 Mon Sep 17 00:00:00 2001
From: Steven Dick <38897662+nterl0k@users.noreply.github.com>
Date: Thu, 14 Dec 2023 07:06:13 -0500
Subject: [PATCH] Initial Upload

---
 .../T1548.002/uac_behavior/uac_behavior.yml        | 14 ++++++++++++++
 .../T1548.002/uac_behavior/uac_behavior_sysmon.log |  3 +++
 2 files changed, 17 insertions(+)
 create mode 100644 datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml
 create mode 100644 datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log

diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml
new file mode 100644
index 00000000..1be2cca3
--- /dev/null
+++ b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml
@@ -0,0 +1,14 @@
+author: Steven Dick
+id: 0fe95fd6-68cf-41de-9e05-26547ce1e08a
+date: '2023-11-20'
+description: 'Detection of common User Account Control bypass techniques, generated using Atomic Tests for T1548.002'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1548/002/
+- https://atomicredteam.io/defense-evasion/T1548.002/
+- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/
+- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log
new file mode 100644
index 00000000..3e3ead61
--- /dev/null
+++ b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:888defe1a65bbb87861535b7b84a511b0d464bcdfabeb88e3938f94434aa9437
+size 533345