Detecting UAC bypass - modify Windows Store settings

Back


Id	8b8fbf9c-35d4-474b-8151-a40173521293
Rulename	Detecting UAC bypass - modify Windows Store settings
Description	This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Severity	Medium
Tactics	Impact
Techniques	T1490
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
Version	1.0.0
Arm template	8b8fbf9c-35d4-474b-8151-a40173521293.json

KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wsreset.exe"
| where ProcessIntegrityLevel == "High"

YAML

name: Detecting UAC bypass - modify Windows Store settings
relevantTechniques:
- T1490
id: 8b8fbf9c-35d4-474b-8151-a40173521293
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
queryFrequency: 1h
status: Available
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "wsreset.exe"
  | where ProcessIntegrityLevel == "High"  
tactics:
- Impact
kind: Scheduled
description: |
    This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
triggerOperator: gt

ARM