---
Name: slui.exe
Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system.
Author: Eron Clarke
Created: 2024-09-26
Commands:
  - Command: slui.exe
    Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
    Category: UAC Bypass
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Windows\System32\slui.exe
Detection:
  - IOC: Event ID 10
  - IOC: A binary or script spawned as a child process of slui.exe
  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
Resources:
  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
Acknowledgement:
  - Person: Eron Clarke