Detecting UAC bypass - modify Windows Store settings

Back


Id	8b8fbf9c-35d4-474b-8151-a40173521293
Rulename	Detecting UAC bypass - modify Windows Store settings
Description	This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Severity	Medium
Tactics	Impact
Techniques	T1490
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
Version	1.0.0
Arm template	8b8fbf9c-35d4-474b-8151-a40173521293.json

KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wsreset.exe"
| where ProcessIntegrityLevel == "High"

YAML

tactics:
- Impact
triggerOperator: gt
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
relevantTechniques:
- T1490
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
id: 8b8fbf9c-35d4-474b-8151-a40173521293
queryPeriod: 1h
name: Detecting UAC bypass - modify Windows Store settings
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
queryFrequency: 1h
description: |
    This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
version: 1.0.0
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "wsreset.exe"
  | where ProcessIntegrityLevel == "High"  
triggerThreshold: 0
severity: Medium
status: Available
kind: Scheduled

ARM