UAC Disabled

Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.

Sigma rule (View on GitHub)

 1title: UAC Disabled
 2id: 48437c39-9e5f-47fb-af95-3d663c3f2919
 3related:
 4    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
 5      type: similar
 6    - id: 0d7ceeef-3539-4392-8953-3dc664912714
 7      type: similar
 8status: stable
 9description: |
10        Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
13author: frack113
14date: 2022-01-05
15modified: 2024-05-10
16tags:
17    - attack.privilege-escalation
18    - attack.defense-evasion
19    - attack.t1548.002
20logsource:
21    category: registry_set
22    product: windows
23detection:
24    selection:
25        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
26        Details: 'DWORD (0x00000000)'
27    condition: selection
28falsepositives:
29    - Unknown
30level: medium

References

Related rules

to-top