<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fodhelper - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/fodhelper/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/fodhelper/feed.xml" rel="self" type="application/rss+xml"/><item><title>FodHelper UAC Bypass Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-fodhelper-uac-bypass/</link><pubDate>Wed, 03 Jan 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-fodhelper-uac-bypass/</guid><description>Detection of fodhelper.exe execution, which is known to exploit User Account Control (UAC) bypass by leveraging specific registry keys, potentially leading to privilege escalation.</description><content:encoded><![CDATA[<p>The fodhelper.exe is a legitimate Windows program located in <code>C:\Windows\System32\</code>. However, it can be abused to bypass User Account Control (UAC) due to its auto-elevated status. When executed, fodhelper.exe can be manipulated to execute arbitrary commands with elevated privileges by modifying specific registry keys. This technique is often employed by threat actors to escalate privileges and perform malicious activities. This behavior is significant because it allows attackers to bypass security controls and gain unauthorized access to the system with administrative rights. This technique has been observed in conjunction with malware such as IcedID, ValleyRAT, and BlankGrabber Stealer.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the system, often through phishing or other social engineering techniques.</li>
<li>The attacker executes a script or program that attempts to exploit the Fodhelper UAC bypass.</li>
<li>The malicious script modifies specific registry keys under <code>HKCU\Software\Classes\ms-settings\shell\open\command</code> or <code>HKCU\Software\Classes\CLSID\{F74662A2-2037-4F49-9F00-9312367F9B33}\shell\open\command</code>.</li>
<li>The attacker executes fodhelper.exe.</li>
<li>Due to the registry modifications, when fodhelper.exe runs, it executes the attacker's specified command with elevated privileges.</li>
<li>The attacker leverages the elevated privileges to install malware, create new user accounts with administrative rights, or modify system configurations.</li>
<li>The attacker might then perform lateral movement within the network, seeking to compromise additional systems.</li>
<li>The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the Fodhelper UAC bypass can lead to complete system compromise. An attacker with elevated privileges can disable security controls, install malware, access sensitive data, and potentially pivot to other systems on the network. Organizations that do not monitor for this type of activity are at increased risk of data breaches, financial losses, and reputational damage. The use of this technique has been observed in conjunction with malware such as IcedID, ValleyRAT, and BlankGrabber Stealer.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon process creation logging to detect the execution of fodhelper.exe and its parent processes.</li>
<li>Monitor registry modifications to the <code>HKCU\Software\Classes\ms-settings\shell\open\command</code> or <code>HKCU\Software\Classes\CLSID\{F74662A2-2037-4F49-9F00-9312367F9B33}\shell\open\command</code> keys as mentioned in the attack chain.</li>
<li>Deploy the Sigma rules in this brief to your SIEM to detect suspicious process creation events related to fodhelper.exe.</li>
<li>Investigate any instances of fodhelper.exe spawning child processes or accessing the registry keys mentioned above.</li>
<li>Implement application control policies to restrict the execution of unauthorized or potentially malicious programs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>uac-bypass</category><category>privilege-escalation</category><category>fodhelper</category><category>windows</category></item></channel></rss>