UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
Sigma rule (View on GitHub)
1title: UAC Notification Disabled
2id: c5f6a85d-b647-40f7-bbad-c10b66bab038
3related:
4 - id: 0d7ceeef-3539-4392-8953-3dc664912714
5 type: similar
6 - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
7 type: similar
8status: experimental
9description: |
10 Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
11 UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
12 When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
13references:
14 - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15 - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
16author: frack113, Nasreddine Bencherchali (Nextron Systems)
17date: 2024-05-10
18tags:
19 - attack.privilege-escalation
20 - attack.defense-evasion
21 - attack.t1548.002
22logsource:
23 category: registry_set
24 product: windows
25detection:
26 selection:
27 TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
28 Details: 'DWORD (0x00000001)'
29 condition: selection
30falsepositives:
31 - Unknown
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Read the in-depth analysis on BlotchyQuasar, a banking trojan hardcoded to collect credentials from Latin American-based banking applications and websites. More from IBM Security X-Force.
Read More
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- CMSTP UAC Bypass via COM Object Access