UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
Sigma rule (View on GitHub)
1title: UAC Notification Disabled
2id: c5f6a85d-b647-40f7-bbad-c10b66bab038
3related:
4 - id: 0d7ceeef-3539-4392-8953-3dc664912714
5 type: similar
6 - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
7 type: similar
8status: experimental
9description: |
10 Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
11 UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
12 When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
13references:
14 - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15 - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
16author: frack113, Nasreddine Bencherchali (Nextron Systems)
17date: 2024-05-10
18tags:
19 - attack.privilege-escalation
20 - attack.defense-evasion
21 - attack.t1548.002
22logsource:
23 category: registry_set
24 product: windows
25detection:
26 selection:
27 TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
28 Details: 'DWORD (0x00000001)'
29 condition: selection
30falsepositives:
31 - Unknown
32level: medium
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager