Detecting UAC bypass - modify Windows Store settings

Back


Id	8b8fbf9c-35d4-474b-8151-a40173521293
Rulename	Detecting UAC bypass - modify Windows Store settings
Description	This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Severity	Medium
Tactics	Impact
Techniques	T1490
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
Version	1.0.0
Arm template	8b8fbf9c-35d4-474b-8151-a40173521293.json

KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wsreset.exe"
| where ProcessIntegrityLevel == "High"

YAML

version: 1.0.0
id: 8b8fbf9c-35d4-474b-8151-a40173521293
relevantTechniques:
- T1490
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
name: Detecting UAC bypass - modify Windows Store settings
queryFrequency: 1h
triggerThreshold: 0
description: |
    This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/UACBypass-2-modify-ms-store.yaml
queryPeriod: 1h
severity: Medium
kind: Scheduled
tactics:
- Impact
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "wsreset.exe"
  | where ProcessIntegrityLevel == "High"

ARM