UAC Notification Disabled

May 10, 2024 · attack.privilege_escalation attack.defense_evasion attack.t1548.002 ·

Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.

Sigma rule (View on GitHub)

 1title: UAC Notification Disabled
 2id: c5f6a85d-b647-40f7-bbad-c10b66bab038
 3related:
 4    - id: 0d7ceeef-3539-4392-8953-3dc664912714
 5      type: similar
 6    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
 7      type: similar
 8status: experimental
 9description: |
10    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
11    UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
12    When "UACDisableNotify" is set to 1, UAC prompts are suppressed.    
13references:
14    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15    - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
16author: frack113, Nasreddine Bencherchali (Nextron Systems)
17date: 2024/05/10
18tags:
19    - attack.privilege_escalation
20    - attack.defense_evasion
21    - attack.t1548.002
22logsource:
23    category: registry_set
24    product: windows
25detection:
26    selection:
27        TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
28        Details: 'DWORD (0x00000001)'
29    condition: selection
30falsepositives:
31    - Unknown
32level: medium

References

atomic-red-team/atomics/T1548.002/T1548.002.md at 7e11e9b79583545f208a6dc3fa062f2ed443d999 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

Read the in-depth analysis on BlotchyQuasar, a banking trojan hardcoded to collect credentials from Latin American-based banking applications and websites. More from IBM Security X-Force.

Read More

UAC Notification Disabled

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1548.002/T1548.002.md at 7e11e9b79583545f208a6dc3fa062f2ed443d999 · redcanaryco/atomic-red-team

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

Related rules