sdclt.exe
- File Path:
C:\Windows\system32\sdclt.exe - Description: Microsoft Windows Backup
Hashes
| Type | Hash |
|---|---|
| MD5 | 4685EDEA02ED044779578CE2AB9505FF |
| SHA1 | 8B51E9E17F377A59DB2F89DCEB8B9EF4C7FFB9E8 |
| SHA256 | F6BE29F4CFFABB00B95B7DE577E1138A34D1FBBBC4CE122536792276273E75DA |
| SHA384 | 84D8D4F217B4F73CE90156B7D95B75BA7ED8765B5E82671C793DDA369D7A2EA725556A58DACDDD2A4E262954076240F7 |
| SHA512 | 6A35D9ED01600F5C04221DEB4A162A80C143385044458A30627014BC6D4B0DD9207F41335869498D526C3326A547B21ABCAEED80FFEB1E04C661C5A099653F20 |
| SSDEEP | 24576:2ywnRG0Nq1jwZMDW+zfh9yptQHZ7RHegR:WUB+P+TaQ5dH9 |
| IMP | FF5971B8CA7F60994822E545275A6C4E |
| PESHA1 | A50CAAEB8737A7A5FF8E1BE7DBF097BDF7744CAE |
| PE256 | DC642C1BC9A04F39531246AE2D6387CB99992BD4D4A9F8A522589170BF16BDEE |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\sdclt.exe |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
330000026551AE1BBD005CBFBD000000000265 - Thumbprint:
E168609353F30FF2373157B4EB8CD519D07A2BFF - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: sdclt.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/68
- VirusTotal Link: https://www.virustotal.com/gui/file/f6be29f4cffabb00b95b7de577e1138a34d1fbbbc4ce122536792276273e75da/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\sdclt.exe | 99 |
| C:\Windows\system32\sdclt.exe | 50 |
| C:\Windows\system32\sdclt.exe | 50 |
| C:\Windows\system32\sdclt.exe | 50 |
| C:\WINDOWS\system32\sdclt.exe | 46 |
Possible Misuse
The following table contains possible examples of sdclt.exe being misused. While sdclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_high_integrity_sdclt.yml | title: High Integrity Sdclt Process |
DRL 1.0 |
| sigma | proc_creation_win_high_integrity_sdclt.yml | description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. |
DRL 1.0 |
| sigma | proc_creation_win_high_integrity_sdclt.yml | Image\|endswith: 'sdclt.exe' |
DRL 1.0 |
| sigma | proc_creation_win_sdclt_child_process.yml | title: Sdclt Child Processes |
DRL 1.0 |
| sigma | proc_creation_win_sdclt_child_process.yml | description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. |
DRL 1.0 |
| sigma | proc_creation_win_sdclt_child_process.yml | ParentImage\|endswith: '\sdclt.exe' |
DRL 1.0 |
| sigma | registry_event_bypass_uac_using_delegateexecute.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute |
DRL 1.0 |
| sigma | registry_event_comhijack_sdclt.yml | title: COM Hijack via Sdclt |
DRL 1.0 |
| sigma | registry_event_comhijack_sdclt.yml | - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass |
DRL 1.0 |
| sigma | registry_event_uac_bypass_sdclt.yml | title: UAC Bypass via Sdclt |
DRL 1.0 |
| sigma | registry_event_uac_bypass_sdclt.yml | description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) |
DRL 1.0 |
| sigma | registry_event_uac_bypass_sdclt.yml | - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ |
DRL 1.0 |
| malware-ioc | misp_invisimole.json | "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #7 - Bypass UAC using sdclt DelegateExecute | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Reference - sevagas.com | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Start-Process -FilePath $env:windir\system32\sdclt.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Target: \system32\sdclt.exe | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.