Use of VisualUiaVerifyNative.exe

 1title: Use of VisualUiaVerifyNative.exe
 2id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
 3status: test
 4description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
 7    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
 8    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
 9    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
10author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
11date: 2022-06-01
12tags:
13    - attack.defense-evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\VisualUiaVerifyNative.exe'
21        - OriginalFileName: 'VisualUiaVerifyNative.exe'
22    condition: selection
23falsepositives:
24    - Legitimate testing of Microsoft UI parts.
25level: medium

References

• Visualuiaverifynative on LOLBAS

  

  VisualUiaVerifyNative.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Applications that can bypass App Control and how to block them

  

  View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.

  
  Read More

• Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative

  

  Introduction If you have followed this blog over the last few years, many of the posts focus on techniques for bypassing application control solutions such as Windows Defender Application Control (…

  
  Read More

• Adding runscripthelper.exe to the blacklist ruleset · MicrosoftDocs/windows-itpro-docs@937db70

  

  Reference for the runscripthelper.exe bypass: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc Also giving credit to Lee Christensen for his vis...

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE