From d733b6e130e82ae3f10b1be807f956fb686cb27e Mon Sep 17 00:00:00 2001
From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com>
Date: Thu, 26 Sep 2024 16:31:47 -0500
Subject: [PATCH] Add files via upload

---
 yml/OSBinaries/fodhelper.yml | 24 ++++++++++++++++++++++++
 yml/OSBinaries/regedit.yml   | 25 +++++++++++++++++++++++++
 yml/OSBinaries/slui.yml      | 24 ++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 yml/OSBinaries/fodhelper.yml
 create mode 100644 yml/OSBinaries/regedit.yml
 create mode 100644 yml/OSBinaries/slui.yml

diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml
new file mode 100644
index 0000000..7696435
--- /dev/null
+++ b/yml/OSBinaries/fodhelper.yml
@@ -0,0 +1,24 @@
+---
+Name: fodhelper.exe
+Description: fodhelper.exe is a Windows system utility used for managing optional features and components.
+Author: Eron Clarke
+Created: 2024-09-26
+Commands:
+  - Command: fodhelper.exe
+    Description: Upon execution, fodhelper.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\fodhelper.exe
+Detection:
+  - IOC: Event ID 10
+  - IOC: A binary or script spawned as a child process of fodhelper.exe
+  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+Resources:
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
+Acknowledgement:
+  - Person: Eron Clarke
diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit.yml
new file mode 100644
index 0000000..005b9ee
--- /dev/null
+++ b/yml/OSBinaries/regedit.yml
@@ -0,0 +1,25 @@
+---
+Name: regedit.exe
+Description: regedit (Registry Editor) is a built-in Windows utility that allows users to view, edit, and manage the Windows Registry.
+Author: Eron Clarke
+Created: 2024-09-26
+Commands:
+  - Command: regedit.exe
+    Description: Upon execution, regedit.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\regedit.exe
+  - Path: C:\Windows\SysWOW64\regedit.exe
+Detection:
+  - IOC: Event ID 10
+  - IOC: A binary or script spawned as a child process of regedit.exe
+  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+Resources:
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
+Acknowledgement:
+  - Person: Eron Clarke
diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml
new file mode 100644
index 0000000..785a6b2
--- /dev/null
+++ b/yml/OSBinaries/slui.yml
@@ -0,0 +1,24 @@
+---
+Name: slui.exe
+Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system.
+Author: Eron Clarke
+Created: 2024-09-26
+Commands:
+  - Command: slui.exe
+    Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\slui.exe
+Detection:
+  - IOC: Event ID 10
+  - IOC: A binary or script spawned as a child process of slui.exe
+  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+Resources:
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
+Acknowledgement:
+  - Person: Eron Clarke