Use of VisualUiaVerifyNative.exe

 1title: Use of VisualUiaVerifyNative.exe
 2id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
 3status: test
 4description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
 7    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
 8    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
 9    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
10author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
11date: 2022/06/01
12tags:
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\VisualUiaVerifyNative.exe'
21        - OriginalFileName: 'VisualUiaVerifyNative.exe'
22    condition: selection
23falsepositives:
24    - Legitimate testing of Microsoft UI parts.
25level: medium

References

• Visualuiaverifynative | LOLBAS

  Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. VisualUiaVerifyNative.exe Use caseExecute proxied payload with Microsoft signed bin...

  
  Read More

• Applications that can bypass WDAC and how to block them - Windows Security

  

  View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.

  
  Read More

• Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative

  

  Introduction If you have followed this blog over the last few years, many of the posts focus on techniques for bypassing application control solutions such as Windows Defender Application Control (…

  
  Read More

• Adding runscripthelper.exe to the blacklist ruleset · MicrosoftDocs/windows-itpro-docs@937db70

  

  Reference for the runscripthelper.exe bypass: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc Also giving credit to Lee Christensen for his vis...

  
  Read More

Related rules

• Created Files by Microsoft Sync Center
• DeviceCredentialDeployment Execution
• Execute MSDT Via Answer File
• Execute Pcwrun.EXE To Leverage Follina
• Ie4uinit Lolbin Use From Invalid Path