Detecting UAC bypass - ChangePK and SLUI registry tampering

DeviceProcessEvents
| where InitiatingProcessParentFileName =~ "slui.exe"
| where InitiatingProcessFileName =~ "changepk.exe"
| where ProcessIntegrityLevel == "High"

description: |
    This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
kind: Scheduled
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-3-changePK-SLUI-tampering.yaml
status: Available
triggerOperator: gt
severity: Medium
relevantTechniques:
- T1490
triggerThreshold: 0
name: Detecting UAC bypass - ChangePK and SLUI registry tampering
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
id: 829a69ba-93e1-491f-8a1f-b19506e9d88a
queryPeriod: 1h
tactics:
- Impact
version: 1.0.0
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName =~ "slui.exe"
  | where InitiatingProcessFileName =~ "changepk.exe"
  | where ProcessIntegrityLevel == "High"