[New WTFBin]: Fodhelper.exe

[dievus]

• Contributor Name: Joe Helle
• Application/Executable: Fodhelper.exe
• WTF Behavior Description: Can be utilized to bypass UAC restrictions to execute commands with high integrity/administrator privileges. While the initial execution triggers Defender due to static rules, execution of the payload is still possible.
• Link to Documentation of Behavior: https://medium.themayor.tech/utilizing-a-common-windows-binary-to-escalate-to-system-privileges-c16482cced4b

[mttaggart]

Since this is a legit privesc vector that should be alerted on, we'll leave this off the WTFBins list. Although, a huge WTF for Windows allowing this to still work.

[HuskyHacks]

@dievus it looks like fodhelper is not on the LOLBAS project yet. https://lolbas-project.github.io/#fodhelper