UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
Sigma rule (View on GitHub)
1title: UAC Disabled
2id: 48437c39-9e5f-47fb-af95-3d663c3f2919
3related:
4 - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
5 type: similar
6 - id: 0d7ceeef-3539-4392-8953-3dc664912714
7 type: similar
8status: stable
9description: |
10 Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
13author: frack113
14date: 2022-01-05
15modified: 2024-05-10
16tags:
17 - attack.privilege-escalation
18 - attack.t1548.002
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
25 Details: 'DWORD (0x00000000)'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP