UAC Secure Desktop Prompt Disabled

 1title: UAC Secure Desktop Prompt Disabled
 2id: 0d7ceeef-3539-4392-8953-3dc664912714
 3related:
 4    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
 5      type: similar
 6    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
 7      type: similar
 8status: experimental
 9description: |
10    Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
11    The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
12    When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.    
13references:
14    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15author: frack113
16date: 2024-05-10
17tags:
18    - attack.privilege-escalation
19    - attack.defense-evasion
20    - attack.t1548.002
21logsource:
22    category: registry_set
23    product: windows
24detection:
25    selection:
26        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
27        Details: 'DWORD (0x00000000)'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium