UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
Sigma rule (View on GitHub)
1title: UAC Disabled
2id: 48437c39-9e5f-47fb-af95-3d663c3f2919
3related:
4 - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
5 type: similar
6 - id: 0d7ceeef-3539-4392-8953-3dc664912714
7 type: similar
8status: stable
9description: |
10 Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
13author: frack113
14date: 2022-01-05
15modified: 2024-05-10
16tags:
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - attack.t1548.002
20logsource:
21 category: registry_set
22 product: windows
23detection:
24 selection:
25 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
26 Details: 'DWORD (0x00000000)'
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager