Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Sigma rule (View on GitHub)

 1title: Use of VisualUiaVerifyNative.exe
 2id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
 3status: test
 4description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
 7    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
 8    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
 9    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
10author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
11date: 2022/06/01
12tags:
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\VisualUiaVerifyNative.exe'
21        - OriginalFileName: 'VisualUiaVerifyNative.exe'
22    condition: selection
23falsepositives:
24    - Legitimate testing of Microsoft UI parts.
25level: medium

References

Related rules

to-top