Detecting UAC bypass - modify Windows Store settings

Back


Id	8b8fbf9c-35d4-474b-8151-a40173521293
Rulename	Detecting UAC bypass - modify Windows Store settings
Description	This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Severity	Medium
Tactics	Impact
Techniques	T1490
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
Version	1.0.0
Arm template	8b8fbf9c-35d4-474b-8151-a40173521293.json

KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wsreset.exe"
| where ProcessIntegrityLevel == "High"

YAML

description: |
    This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
severity: Medium
name: Detecting UAC bypass - modify Windows Store settings
triggerThreshold: 0
queryPeriod: 1h
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "wsreset.exe"
  | where ProcessIntegrityLevel == "High"  
relevantTechniques:
- T1490
id: 8b8fbf9c-35d4-474b-8151-a40173521293
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine

ARM