fodhelper.exe

  • File Path: C:\WINDOWS\system32\fodhelper.exe
  • Description: Features On Demand Helper

Hashes

Type Hash
MD5 7215C73EC1AAE35B9E4B1F22C811F85C
SHA1 98551F5184691B65DCEBA531C4E4975D77CD25A5
SHA256 7E80DA8D839DCF05E30317256460ED7A4EE25CAB2750D768569AAAB35E1E8C64
SHA384 431C5B0A2797E38722CD3268724F38E1E05324ED1A63026F68B7B57DC4620A62D1AA7E32538F95FCB503B2E7BE891A31
SHA512 B68EED48DBD32E485FD56B952E3E642F25F1EEFE26EA533B13857E225272EE9668C39552284A438175A323D1685A80D9F878EF0637B5D928BB1E1ED1AC505D61
SSDEEP 768:pwO9ZeoptCAgwlGO1IuTsS4G5KaTVzmoPrOi9davNZ3YS2:t9IoPztg22uTVzm8h9SNZ2

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: FodHelper.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of fodhelper.exe being misused. While fodhelper.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_fodhelper.yml title: Bypass UAC via Fodhelper.exe DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml ParentImage\|endswith: '\fodhelper.exe' DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml - Legitimate use of fodhelper.exe utility by legitimate user DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
malware-ioc win_apt_invisimole_uac_bypass.yml - '\fodhelper.exe' © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Bypass UAC using Fodhelper [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Bypass UAC using Fodhelper [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #3 - Bypass UAC using Fodhelper MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #3 - Bypass UAC using Fodhelper MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md fodhelper.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\fodhelper.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\fodhelper.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.