mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
5.4 KiB
5.4 KiB
| Title | Bypass UAC via Fodhelper.exe |
|---|---|
| Description | Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community |
Detection Rules
Sigma rule
title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
tags:
- attack.privilege_escalation
- attack.t1548.002
- attack.t1088 # an old one
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
condition: selection
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Legitimate use of fodhelper.exe utility by legitimate user
level: high
powershell
Get-WinEvent | where {$_.message -match "ParentImage.*.*\\\\fodhelper.exe" } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
winlog.event_data.ParentImage.keyword:*\\\\fodhelper.exe
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/7f741dcf-fc22-4759-87b4-9ae8376676a2 <<EOF\n{\n "metadata": {\n "title": "Bypass UAC via Fodhelper.exe",\n "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.",\n "tags": [\n "attack.privilege_escalation",\n "attack.t1548.002",\n "attack.t1088"\n ],\n "query": "winlog.event_data.ParentImage.keyword:*\\\\\\\\fodhelper.exe"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "winlog.event_data.ParentImage.keyword:*\\\\\\\\fodhelper.exe",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Bypass UAC via Fodhelper.exe\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nComputerName = {{_source.ComputerName}}\\n User = {{_source.User}}\\n CommandLine = {{_source.CommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
ParentImage.keyword:*\\\\fodhelper.exe
splunk
ParentImage="*\\\\fodhelper.exe" | table ComputerName,User,CommandLine
logpoint
ParentImage="*\\\\fodhelper.exe"
grep
grep -P '^.*\\fodhelper\\.exe'