Detecting UAC bypass - ChangePK and SLUI registry tampering

DeviceProcessEvents
| where InitiatingProcessParentFileName =~ "slui.exe"
| where InitiatingProcessFileName =~ "changepk.exe"
| where ProcessIntegrityLevel == "High"

queryFrequency: 1h
tactics:
- Impact
name: Detecting UAC bypass - ChangePK and SLUI registry tampering
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-3-changePK-SLUI-tampering.yaml
triggerThreshold: 0
description: |
    This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
status: Available
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
id: 829a69ba-93e1-491f-8a1f-b19506e9d88a
queryPeriod: 1h
version: 1.0.0
severity: Medium
relevantTechniques:
- T1490
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName =~ "slui.exe"
  | where InitiatingProcessFileName =~ "changepk.exe"
  | where ProcessIntegrityLevel == "High"