Adversaries may use Fodhelper.exe to bypass UAC by modifying specific registry keys and executing payloads, indicating an attempt to escalate privileges without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential UAC bypass attacks early in the attack lifecycle.
KQL Query
imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
id: ac9e233e-44d4-45eb-b522-6e47445f6582
name: Potential Fodhelper UAC Bypass (ASIM Version)
description: |
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
severity: Medium
requiredDataConnectors: []
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1548.002
query: |
imRegistry
| where EventType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Software\\Classes\\ms-settings\\shell\\open\\command"
| extend TimeKey = bin(TimeGenerated, 1h)
| join (imProcess
| where Process endswith "fodhelper.exe"
| where ParentProcessName endswith "cmd.exe" or ParentProcessName endswith "powershell.exe" or ParentProcessName endswith "powershell_ise.exe"
| extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DvcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Fodhelper.exe
Description: A system administrator uses Fodhelper.exe to perform a legitimate system update or Windows feature installation.
Filter/Exclusion: Check for the presence of known update-related command-line arguments (e.g., /quiet, /norestart) or process parentage from a trusted update service (e.g., wuauclt.exe or setup.exe).
Scenario: Scheduled Job for Maintenance Tasks
Description: A scheduled task runs Fodhelper.exe as part of a routine maintenance script to configure system settings or apply registry changes.
Filter/Exclusion: Filter by process parentage (e.g., schtasks.exe) or check for the presence of a known maintenance script or job name in the Task Scheduler.
Scenario: User-Initiated Registry Configuration via PowerShell
Description: An admin uses PowerShell to modify registry keys that Fodhelper.exe interacts with, as part of a script to configure system behavior.
Filter/Exclusion: Check for the presence of PowerShell scripts or the powershell.exe process parent, and verify if the registry changes are part of a known administrative configuration.
Scenario: Fodhelper.exe Used for Compatibility Mode Setup
Description: IT staff uses Fodhelper.exe to enable compatibility mode for legacy applications, which may involve registry modifications.
Filter/Exclusion: Filter by process parentage (e.g., msconfig.exe or control.exe) or check for the presence of known compatibility mode configuration tools.
Scenario: Group Policy Object (GPO) Deployment via Fodhelper.exe
Description: A GPO deployment triggers Fodhelper.exe to apply registry settings across the domain, which may be flagged as suspicious.
Filter/Exclusion: Check for the presence of GPO-related processes