fodhelper.exe
- File Path:
C:\Windows\system32\fodhelper.exe - Description: Features On Demand Helper
Hashes
| Type | Hash |
|---|---|
| MD5 | 85018BE1FD913656BC9FF541F017EACD |
| SHA1 | 26D7407931B713E0F0FA8B872FEECDB3CF49065A |
| SHA256 | C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5 |
| SHA384 | DE9AE28B35A9F9ED3D41D222ABCE0C39B8C0E5DBED6FCBC5F6F0001124D28D789C004727044CA12AE09746C5CD19DC37 |
| SHA512 | 3E5903CF18386951C015AE23DD68A112B2F4B0968212323218C49F8413B6D508283CC6AAA929DBEAD853BD100ADC18BF497479963DAD42DFAFBEB081C9035459 |
| SSDEEP | 768:WwU7bDT2KLt6oPjQQ5fxGIjN44MgZkD9TpiPogpUORaNpohsySZlv7:WtfT2KwoPBxjN4zDbgpUOoo1SZ17 |
| IMP | 2BD851C90720C3E5FEE7E3FF3ACFA3D5 |
| PESHA1 | 21687605F7285AB4815D1FD6E43A4015B3E2A995 |
| PE256 | 3D103B9B4E19548A0B63A8607E28E54F164BE13B2D5FEAF1AC046EBCB90DFEE4 |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\system32\fodhelper.exe |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: FodHelper.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5/detection
Possible Misuse
The following table contains possible examples of fodhelper.exe being misused. While fodhelper.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_uac_fodhelper.yml | title: Bypass UAC via Fodhelper.exe |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | ParentImage\|endswith: '\fodhelper.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | - Legitimate use of fodhelper.exe utility by legitimate user |
DRL 1.0 |
| sigma | registry_event_shell_open_keys_manipulation.yml | description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) |
DRL 1.0 |
| malware-ioc | win_apt_invisimole_uac_bypass.yml | - '\fodhelper.exe' |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #3: Bypass UAC using Fodhelper [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Bypass UAC using Fodhelper [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #3 - Bypass UAC using Fodhelper | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #3 - Bypass UAC using Fodhelper | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | fodhelper.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Start-Process “C:\Windows\System32\fodhelper.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Target: \system32\fodhelper.exe | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.