{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fodhelper/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["uac-bypass","privilege-escalation","fodhelper","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe fodhelper.exe is a legitimate Windows program located in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e. However, it can be abused to bypass User Account Control (UAC) due to its auto-elevated status. When executed, fodhelper.exe can be manipulated to execute arbitrary commands with elevated privileges by modifying specific registry keys. This technique is often employed by threat actors to escalate privileges and perform malicious activities. This behavior is significant because it allows attackers to bypass security controls and gain unauthorized access to the system with administrative rights. This technique has been observed in conjunction with malware such as IcedID, ValleyRAT, and BlankGrabber Stealer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program that attempts to exploit the Fodhelper UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe malicious script modifies specific registry keys under \u003ccode\u003eHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Classes\\CLSID\\{F74662A2-2037-4F49-9F00-9312367F9B33}\\shell\\open\\command\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes fodhelper.exe.\u003c/li\u003e\n\u003cli\u003eDue to the registry modifications, when fodhelper.exe runs, it executes the attacker's specified command with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to install malware, create new user accounts with administrative rights, or modify system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker might then perform lateral movement within the network, seeking to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Fodhelper UAC bypass can lead to complete system compromise. An attacker with elevated privileges can disable security controls, install malware, access sensitive data, and potentially pivot to other systems on the network. Organizations that do not monitor for this type of activity are at increased risk of data breaches, financial losses, and reputational damage. The use of this technique has been observed in conjunction with malware such as IcedID, ValleyRAT, and BlankGrabber Stealer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of fodhelper.exe and its parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Classes\\CLSID\\{F74662A2-2037-4F49-9F00-9312367F9B33}\\shell\\open\\command\u003c/code\u003e keys as mentioned in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious process creation events related to fodhelper.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of fodhelper.exe spawning child processes or accessing the registry keys mentioned above.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or potentially malicious programs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-fodhelper-uac-bypass/","summary":"Detection of fodhelper.exe execution, which is known to exploit User Account Control (UAC) bypass by leveraging specific registry keys, potentially leading to privilege escalation.","title":"FodHelper UAC Bypass Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-03-fodhelper-uac-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Fodhelper","version":"https://jsonfeed.org/version/1.1"}