From 11e6bcb0c76459a1f1b4cb2160f2836fcfad43a1 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 16 Feb 2026 19:11:04 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via .NET Code Profiler DLL Hijack
 rule

Identifies potential User Account Control (UAC) bypass activity leveraging the .NET Code Profiler mechanism to achieve elevated code execution throughDLL hijacking. Attackers may attempt to load arbitrary profiler libraries into high-integrity processes.
---
 ...ss_via_dotnet_code_profiler_dll_hijack.yml | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_dotnet_code_profiler_dll_hijack.yml

diff --git a/rules/privilege_escalation_uac_bypass_via_dotnet_code_profiler_dll_hijack.yml b/rules/privilege_escalation_uac_bypass_via_dotnet_code_profiler_dll_hijack.yml
new file mode 100644
index 000000000..731846522
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_dotnet_code_profiler_dll_hijack.yml
@@ -0,0 +1,44 @@
+name: UAC bypass via .NET Code Profiler DLL Hijack
+id: 554f1b0d-c317-4cf0-aaac-d29d6e046b0c
+version: 1.0.0
+description: |
+  Identifies potential User Account Control (UAC) bypass activity leveraging
+  the .NET Code Profiler mechanism to achieve elevated code execution through
+  DLL hijacking. Attackers may attempt to load arbitrary profiler libraries
+  into high-integrity processes.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+  - https://github.com/djhohnstein/.NET-Profiler-DLL-Hijack
+
+condition: >
+  sequence
+  maxspan 2m
+    |set_value and
+     registry.data imatches '?:\\*.dll' and
+     registry.path ~= 'HKEY_CURRENT_USER\\Environment\\COR_PROFILER_PATH'
+    | as e1
+    |spawn_process and
+     ps.token.integrity_level = 'HIGH' and
+     thread.callstack.summary imatches concat('ntdll.dll|KernelBase.dll|advapi32.dll|', base($e1.registry.data), '|*') and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\SysWOW64\\WerFault.exe'
+                )
+    |
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0