Use of VisualUiaVerifyNative.exe
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Sigma rule (View on GitHub)
1title: Use of VisualUiaVerifyNative.exe
2id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
3status: test
4description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
7 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
8 - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
9 - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
10author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
11date: 2022/06/01
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - Image|endswith: '\VisualUiaVerifyNative.exe'
21 - OriginalFileName: 'VisualUiaVerifyNative.exe'
22 condition: selection
23falsepositives:
24 - Legitimate testing of Microsoft UI parts.
25level: medium
References
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path