imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
tactics:
- PrivilegeEscalation
triggerOperator: gt
requiredDataConnectors: []
relevantTechniques:
- T1548.002
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DvcHostname
entityType: Host
- fieldMappings:
- identifier: Address
columnName: DvcIpAddr
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: ActorUsername
entityType: Account
id: ac9e233e-44d4-45eb-b522-6e47445f6582
queryPeriod: 2h
name: Potential Fodhelper UAC Bypass (ASIM Version)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialFodhelperUACBypass(ASIMVersion).yaml
queryFrequency: 2h
description: |
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
version: 1.0.5
query: |
imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
triggerThreshold: 0
severity: Medium
metadata:
author:
name: Pete Bryan
categories:
domains:
- Security - Others
source:
kind: Community
support:
tier: Community
kind: Scheduled
