Detecting UAC bypass - ChangePK and SLUI registry tampering

DeviceProcessEvents
| where InitiatingProcessParentFileName =~ "slui.exe"
| where InitiatingProcessFileName =~ "changepk.exe"
| where ProcessIntegrityLevel == "High"

version: 1.0.0
id: 829a69ba-93e1-491f-8a1f-b19506e9d88a
relevantTechniques:
- T1490
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
name: Detecting UAC bypass - ChangePK and SLUI registry tampering
queryFrequency: 1h
triggerThreshold: 0
description: |
    This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-3-changePK-SLUI-tampering.yaml
queryPeriod: 1h
severity: Medium
kind: Scheduled
tactics:
- Impact
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName =~ "slui.exe"
  | where InitiatingProcessFileName =~ "changepk.exe"
  | where ProcessIntegrityLevel == "High"