diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml new file mode 100644 index 0000000..7696435 --- /dev/null +++ b/yml/OSBinaries/fodhelper.yml @@ -0,0 +1,24 @@ +--- +Name: fodhelper.exe +Description: fodhelper.exe is a Windows system utility used for managing optional features and components. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: fodhelper.exe + Description: Upon execution, fodhelper.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\fodhelper.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of fodhelper.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit.yml new file mode 100644 index 0000000..005b9ee --- /dev/null +++ b/yml/OSBinaries/regedit.yml @@ -0,0 +1,25 @@ +--- +Name: regedit.exe +Description: regedit (Registry Editor) is a built-in Windows utility that allows users to view, edit, and manage the Windows Registry. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: regedit.exe + Description: Upon execution, regedit.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\regedit.exe + - Path: C:\Windows\SysWOW64\regedit.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of regedit.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml new file mode 100644 index 0000000..785a6b2 --- /dev/null +++ b/yml/OSBinaries/slui.yml @@ -0,0 +1,24 @@ +--- +Name: slui.exe +Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: slui.exe + Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\slui.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of slui.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke