detection.wiki

Detection rules › Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version)

Author
Pete Bryan
Source
upstream

'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

ProviderEvent IDTitle
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon14RegistryEvent (Key and Value Rename)
Security-Auditing4657A registry value was modified.
Security-Auditing4660An object was deleted.
Security-Auditing4663An attempt was made to access an object.
Defender-DeviceRegistryEvents9005000Registry activity (any)
Defender-DeviceRegistryEvents9005002Registry key deleted
Defender-DeviceRegistryEvents9005003Registry value set
Defender-DeviceRegistryEvents9005004Registry value deleted

Stages and Predicates

Stage 1: source

imRegistry

Stage 2: where

EventType in ["RegistryKeyCreated", "RegistryValueSet"]

Stage 3: where

RegistryKey match "Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command"

Stage 4: extend

Stage 5: join

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventTypein
  • RegistryKeyCreated
  • RegistryValueSet
RegistryKeymatch
  • Software\\Classes\\ms-settings\\shell\\open\\command