UAC Notification Disabled

 1title: UAC Notification Disabled
 2id: c5f6a85d-b647-40f7-bbad-c10b66bab038
 3related:
 4    - id: 0d7ceeef-3539-4392-8953-3dc664912714
 5      type: similar
 6    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
 7      type: similar
 8status: test
 9description: |
10    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
11    UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
12    When "UACDisableNotify" is set to 1, UAC prompts are suppressed.    
13references:
14    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15    - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
16author: frack113, Nasreddine Bencherchali (Nextron Systems)
17date: 2024-05-10
18tags:
19    - attack.privilege-escalation
20    - attack.t1548.002
21logsource:
22    category: registry_set
23    product: windows
24detection:
25    selection:
26        TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
27        Details: 'DWORD (0x00000001)'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium