Add slui.yml, fodhelper.yml, regedit.yml

yml/OSBinaries/ComputerDefaults.yml

@@ -5,12 +5,15 @@ Author: Eron Clarke
 Created: 2024-09-24
 Commands:
   - Command: ComputerDefaults.exe
-    Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Description: Upon execution, `ComputerDefaults` checks two registry values at `HKCU\Software\Classes\ms-settings\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC Bypass
     Privileges: User
     MitreID: T1548.002
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Requires: Registry Change
 Full_Path:
   - Path: C:\Windows\System32\ComputerDefaults.exe
   - Path: C:\Windows\SysWOW64\ComputerDefaults.exe

yml/OSBinaries/Regedit.yml

@@ -18,6 +18,16 @@ Commands:
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: regedit.exe
+    Description: Upon execution, `regedit` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Requires: Registry Change
 Full_Path:
   - Path: C:\Windows\regedit.exe
 Detection:
@@ -26,6 +36,7 @@ Detection:
   - IOC: regedit.exe should normally not be executed by end-users
 Resources:
   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'

yml/OSBinaries/fodhelper.yml

@@ -0,0 +1,26 @@
+---
+Name: fodhelper.exe
+Description: fodhelper.exe is a Windows system utility used for managing optional features and components.
+Author: Eron Clarke
+Created: 2024-09-26
+Commands:
+  - Command: fodhelper.exe
+    Description: Upon execution, `fodhelper` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Requires: Registry Change
+Full_Path:
+  - Path: C:\Windows\System32\fodhelper.exe
+Detection:
+  - IOC: A binary or script spawned as a child process of fodhelper.exe
+  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+Resources:
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
+Acknowledgement:
+  - Person: Eron Clarke

yml/OSBinaries/slui.yml

@@ -0,0 +1,26 @@
+---
+Name: slui.exe
+Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system.
+Author: Eron Clarke
+Created: 2024-09-26
+Commands:
+  - Command: slui.exe
+    Description: Upon execution, `slui` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
+    Category: UAC Bypass
+    Privileges: User
+    MitreID: T1548.002
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Requires: Registry Change
+Full_Path:
+  - Path: C:\Windows\System32\slui.exe
+Detection:
+  - IOC: A binary or script spawned as a child process of slui.exe
+  - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+Resources:
+  - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
+Acknowledgement:
+  - Person: Eron Clarke