fodhelper.exe
- File Path:
C:\Windows\system32\fodhelper.exe - Description: Features On Demand Helper
Hashes
| Type | Hash |
|---|---|
| MD5 | F23BCF023D5039CCAB3AA40F6A07B817 |
| SHA1 | 4D0DE1C3121F202604A01C6DC6F6A36F4A0A4619 |
| SHA256 | B1223B86D03C3583B84E46A9A6AD009D770FC4114640402EDE19793167593A8F |
| SHA384 | 9558658080010B4C92BE066A6090AE7E6063D6899476FFB4B4183FA3067BA55341D666B67871F6FF1D2DF062BEDCB0FD |
| SHA512 | 93249CCBF00B0CC62C9EB05535563C443A37830CE5EAB6EC068CA50EF544E9643F8C5E3E6EC484F6A1767F3D21894CD99D9329EC4BBF02FEE7BB895CC75BA394 |
| SSDEEP | 768:YqpZqknV+b+pvxg9JWSALQJnjpt6V3Glw1mHXrzg31TdavZZ7RRr:pqQApW3WOV3Gy1mHX61TSZZTr |
| IMP | 2BD851C90720C3E5FEE7E3FF3ACFA3D5 |
| PESHA1 | 36A86EAA24EBFFE7CF80D3A89E308F6799152FEE |
| PE256 | F3A3C2E5533051AD881B35EB27CFF08234552D03F198BBC7ED8E8DD662A41514 |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\cryptsp.dll |
| C:\Windows\system32\fodhelper.exe |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\IMM32.DLL |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\powrprof.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\shlwapi.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\uxtheme.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\windows.storage.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: FodHelper.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/b1223b86d03c3583b84e46a9a6ad009d770fc4114640402ede19793167593a8f/detection/
Possible Misuse
The following table contains possible examples of fodhelper.exe being misused. While fodhelper.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_uac_fodhelper.yml | title: Bypass UAC via Fodhelper.exe |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | ParentImage\|endswith: '\fodhelper.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_fodhelper.yml | - Legitimate use of fodhelper.exe utility by legitimate user |
DRL 1.0 |
| sigma | registry_event_shell_open_keys_manipulation.yml | description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) |
DRL 1.0 |
| malware-ioc | win_apt_invisimole_uac_bypass.yml | - '\fodhelper.exe' |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #3: Bypass UAC using Fodhelper [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Bypass UAC using Fodhelper [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #3 - Bypass UAC using Fodhelper | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #3 - Bypass UAC using Fodhelper | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | fodhelper.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Start-Process “C:\Windows\System32\fodhelper.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Target: \system32\fodhelper.exe | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.