iscsicpl.exe

Microsoft iSCSI Initiator Control Panel tool

Paths

• c:\windows\system32\iscsicpl.exe
• c:\windows\syswow64\iscsicpl.exe

Commands

UAC Bypass

c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass.

Use case: Execute a custom DLL via a trusted high-integrity process without a UAC prompt.

Privileges: User

c:\windows\syswow64\iscsicpl.exe

UAC Bypass

Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command.

Use case: Execute a binary or script as a high-integrity process without a UAC prompt.

Privileges: User

iscsicpl.exe

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
• IOC: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll
• IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc.

Resources

• https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal
• https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC