Detecting UAC bypass - ChangePK and SLUI registry tampering

DeviceProcessEvents
| where InitiatingProcessParentFileName =~ "slui.exe"
| where InitiatingProcessFileName =~ "changepk.exe"
| where ProcessIntegrityLevel == "High"

triggerThreshold: 0
description: |
    This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
severity: Medium
version: 1.0.0
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName =~ "slui.exe"
  | where InitiatingProcessFileName =~ "changepk.exe"
  | where ProcessIntegrityLevel == "High"  
tactics:
- Impact
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
queryPeriod: 1h
relevantTechniques:
- T1490
queryFrequency: 1h
id: 829a69ba-93e1-491f-8a1f-b19506e9d88a
triggerOperator: gt
kind: Scheduled
name: Detecting UAC bypass - ChangePK and SLUI registry tampering
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-3-changePK-SLUI-tampering.yaml