Detecting UAC bypass - modify Windows Store settings

Back


Id	8b8fbf9c-35d4-474b-8151-a40173521293
Rulename	Detecting UAC bypass - modify Windows Store settings
Description	This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Severity	Medium
Tactics	Impact
Techniques	T1490
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
Version	1.0.0
Arm template	8b8fbf9c-35d4-474b-8151-a40173521293.json

KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wsreset.exe"
| where ProcessIntegrityLevel == "High"

YAML

relevantTechniques:
- T1490
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
triggerThreshold: 0
description: |
    This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
id: 8b8fbf9c-35d4-474b-8151-a40173521293
queryFrequency: 1h
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "wsreset.exe"
  | where ProcessIntegrityLevel == "High"  
severity: Medium
status: Available
queryPeriod: 1h
name: Detecting UAC bypass - modify Windows Store settings
tactics:
- Impact
kind: Scheduled

ARM