Disable UAC Using Registry
Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
Sigma rule (View on GitHub)
1title: Disable UAC Using Registry
2id: 48437c39-9e5f-47fb-af95-3d663c3f2919
3status: experimental
4description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
7author: frack113
8date: 2022/01/05
9modified: 2023/08/17
10tags:
11 - attack.privilege_escalation
12 - attack.defense_evasion
13 - attack.t1548.002
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
20 Details: DWORD (0x00000000)
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Bypass UAC Using DelegateExecute
- UAC Bypass Abusing Winsat Path Parsing - Registry
- UAC Bypass Using Windows Media Player - Registry
- UAC Bypass via Sdclt
- UAC Bypass Via Wsreset