imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
name: Potential Fodhelper UAC Bypass (ASIM Version)
relevantTechniques:
- T1548.002
id: ac9e233e-44d4-45eb-b522-6e47445f6582
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialFodhelperUACBypass(ASIMVersion).yaml
requiredDataConnectors: []
version: 1.0.5
severity: Medium
triggerThreshold: 0
metadata:
source:
kind: Community
support:
tier: Community
categories:
domains:
- Security - Others
author:
name: Pete Bryan
queryPeriod: 2h
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DvcHostname
entityType: Host
- fieldMappings:
- identifier: Address
columnName: DvcIpAddr
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: ActorUsername
entityType: Account
queryFrequency: 2h
query: |
imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
tactics:
- PrivilegeEscalation
kind: Scheduled
description: |
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
triggerOperator: gt
