Creation or modification of the default command executed when opening an application

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Severity

Informational

Description

Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

Attacker's Goals

Gain higher privileges by bypassing the User Account Control (UAC).

Investigative actions

  • Check the registry data modified for a potentially malicious command line.
  • Look for processes running matching the command line for malicious activity.

Variations

Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Severity

Medium

Description

Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

Attacker's Goals

Gain higher privileges by bypassing the User Account Control (UAC).

Investigative actions

  • Check the registry data modified for a potentially malicious command line.
  • Look for processes running matching the command line for malicious activity.


Creation or modification of the default command executed when opening an MMC application

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Severity

Medium

Description

Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

Attacker's Goals

Gain higher privileges by bypassing the User Account Control (UAC).

Investigative actions

  • Check the registry data modified for a potentially malicious command line.
  • Look for processes running matching the command line for malicious activity.


Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Severity

Medium

Description

Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

Attacker's Goals

Gain higher privileges by bypassing the User Account Control (UAC).

Investigative actions

  • Check the registry data modified for a potentially malicious command line.
  • Look for processes running matching the command line for malicious activity.


Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Severity

Medium

Description

Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

Attacker's Goals

Gain higher privileges by bypassing the User Account Control (UAC).

Investigative actions

  • Check the registry data modified for a potentially malicious command line.
  • Look for processes running matching the command line for malicious activity.