Ghost UAC Using Trusted Binary

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

Detects UAC bypass via registry manipulation of 'ms-settings'. Flags suspicious reg.exe usage targeting this path and child processes spawned from auto-elevated binaries like fodhelper.exe, indicating a hijacked execution chain.

Severity

Critical

Rule Requirement

Criteria

Action1: actionname = "Detection Events" AND ((FILE_NAME = "reg.exe,regedit.exe" AND COMMANDLINE contains "classes\ms-settings\shell\open\command") AND NAME = "privilege escalation") Action2: actionname = "Process started" AND (PARENTPROCESSNAME endswith "fodhelper.exe,Computerdefaults.exe" AND COMMANDLINE notcontains "fodhelper.exe,Computerdefaults.exe") AND HOSTNAME = Action1.ENDPOINT_NAME AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 10m select Action1.NAME,Action1.SEVERITYLEVEL,Action1.FILE_NAME,Action1.FILEPATH,Action1.ENDPOINT_NAME,Action1.DOMAIN,Action1.USERNAME,Action1.PATTERN,Action1.OUTCOME,Action1.MITRETACTIC,Action1.MITRETECHNIQUE,Action1.CATEGORY,Action1.COMMANDLINE,Action2.HOSTNAME,Action2.MESSAGE,Action2.COMMANDLINE,Action2.FILE_NAME,Action2.PROCESSNAME,Action2.USERNAME,Action2.PARENTPROCESSNAME,Action2.DOMAIN,Action2.ORIGINALFILENAME,Action2.PARENTPROCESSID,Action2.PROCESSID,Action2.PRODUCT_NAME,Action2.SECURITYID

Detection

Execution Mode

realtime

Log Sources

CrowdStrike Falcon