Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) |
Severity |
Informational |
Description
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.
Attacker's Goals
Gain higher privileges by bypassing the User Account Control (UAC).
Investigative actions
- Check the registry data modified for a potentially malicious command line.
- Look for processes running matching the command line for malicious activity.
Variations
Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)Creation or modification of the default command executed when opening an MMC application
Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)
Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)