Skip to content

Commit 369f1ab

Browse files
github-actions[bot]github-actions[bot]
committed
1 parent da0bd21 commit 369f1ab

File tree

1 file changed

+40
-0
lines changed

1 file changed

+40
-0
lines changed

_lolbas/Binaries/Iscsicpl.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
Name: iscsicpl.exe
3+
Description: Microsoft iSCSI Initiator Control Panel tool
4+
Author: Ekitji
5+
Created: 2025-08-17
6+
Commands:
7+
- Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary
8+
Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass.
9+
Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt.
10+
Category: UAC Bypass
11+
Privileges: User
12+
MitreID: T1548.002
13+
OperatingSystem: Windows 10, Windows 11
14+
Tags:
15+
- Execute: DLL
16+
- Command: iscsicpl.exe # SysWOW64/System32 binary
17+
Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command.
18+
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
19+
Category: UAC Bypass
20+
Privileges: User
21+
MitreID: T1548.002
22+
OperatingSystem: Windows 10, Windows 11
23+
Tags:
24+
- Execute: CMD
25+
- Application: GUI
26+
Full_Path:
27+
- Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application
28+
- Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application
29+
Detection:
30+
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
31+
- IOC: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll
32+
- IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc.
33+
Resources:
34+
- Link: https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal
35+
- Link: https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
36+
Acknowledgement:
37+
- Person: hacker.house
38+
- Person: Ekitji
39+
Handle: '@eki_erk'
40+
---

0 commit comments

Comments
 (0)