imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
relevantTechniques:
- T1548.002
name: Potential Fodhelper UAC Bypass (ASIM Version)
triggerThreshold: 0
tactics:
- PrivilegeEscalation
severity: Medium
id: ac9e233e-44d4-45eb-b522-6e47445f6582
requiredDataConnectors: []
kind: Scheduled
query: |
imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
description: |
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialFodhelperUACBypass(ASIMVersion).yaml
triggerOperator: gt
queryPeriod: 2h
queryFrequency: 2h
metadata:
source:
kind: Community
categories:
domains:
- Security - Others
author:
name: Pete Bryan
support:
tier: Community
version: 1.0.5
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: DvcIpAddr
identifier: Address
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
