Detecting UAC bypass - ChangePK and SLUI registry tampering

DeviceProcessEvents
| where InitiatingProcessParentFileName =~ "slui.exe"
| where InitiatingProcessFileName =~ "changepk.exe"
| where ProcessIntegrityLevel == "High"

queryPeriod: 1h
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName =~ "slui.exe"
  | where InitiatingProcessFileName =~ "changepk.exe"
  | where ProcessIntegrityLevel == "High"  
name: Detecting UAC bypass - ChangePK and SLUI registry tampering
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-3-changePK-SLUI-tampering.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
description: |
    This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
relevantTechniques:
- T1490
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: 829a69ba-93e1-491f-8a1f-b19506e9d88a