Potential Fodhelper UAC Bypass
| Id | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00 |
| Rulename | Potential Fodhelper UAC Bypass |
| Description | This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1548.002 |
| Required data connectors | SecurityEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 2h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/PotentialFodhelperUACBypass.yaml |
| Version | 1.0.2 |
| Arm template | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00.json |
SecurityEvent
| where EventID == 4657
| parse ObjectName with "\\REGISTRY\\" KeyPrefix "\\" RegistryKey
| project-reorder RegistryKey
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (
SecurityEvent
| where EventID == 4688
| where Process =~ "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
description: |
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
query: |
SecurityEvent
| where EventID == 4657
| parse ObjectName with "\\REGISTRY\\" KeyPrefix "\\" RegistryKey
| project-reorder RegistryKey
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (
SecurityEvent
| where EventID == 4688
| where Process =~ "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
- entityType: Account
fieldMappings:
- columnName: TargetAccount
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountNTDomain
identifier: NTDomain
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
status: Available
triggerThreshold: 0
tactics:
- PrivilegeEscalation
queryPeriod: 2h
triggerOperator: gt
id: 56f3f35c-3aca-4437-a1fb-b7a84dc4af00
relevantTechniques:
- T1548.002
severity: Medium
name: Potential Fodhelper UAC Bypass
kind: Scheduled
queryFrequency: 2h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/PotentialFodhelperUACBypass.yaml
version: 1.0.2