Detection rules › Splunk
Potential fodhelper UAC Bypass Attempt (PowerShell)
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. This use case detects the creation of registry keys associated with known methods of using fodhelper to bypass UAC. Atomic Test #3: T1548.002
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '20217.35897'
title: Potential fodhelper UAC Bypass Attempt
description: 'Adversaries may bypass UAC mechanisms to elevate process privileges
on system. Windows User Account Control (UAC) allows a program to elevate its privileges
(tracked as integrity levels ranging from low to high) to perform a task under administrator-level
permissions, possibly by prompting the user for confirmation. This use case detects
the creation of registry keys associated with known methods of using fodhelper to
bypass UAC. Atomic Test #3: T1548.002'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(New-Item) OR
TERM(New-ItemProperty) OR TERM(Set-ItemProperty) OR TERM(sp) OR TERM(Set-Item) OR
TERM(sip)) "\\Software\\Classes\\ms-settings\\shell\\open\\command" | table _time,
host, user, process, process_*, parent_process_* | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- privilege-escalation:abuse elevation control mechanism:bypass user account control
- defense-evasion:abuse elevation control mechanism:bypass user account control
technique_id:
- T1548.002
data_category:
- PowerShell logs
references:
- https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2?_ga=2.66949422.1638613298.1690290265-1923873697.1682517767
- https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(New-Item) OR TERM(New-ItemProperty) OR TERM(Set-ItemProperty) OR TERM(sp) OR TERM(Set-Item) OR TERM(sip)) "\\Software\\Classes\\ms-settings\\shell\\open\\command"
Stage 2: table
| table _time, host, user, process, process_*, parent_process_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "New-Item" |
| 1 | "New-ItemProperty" |
| 1 | "Set-ItemProperty" |
| 1 | TERM |
| 1 | sp |
| 1 | "Set-Item" |
| 1 | TERM |
| 1 | sip |
| 1 | "\\Software\\Classes\\ms-settings\\shell\\open\\command" |