UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Sigma rule (View on GitHub)
1title: UAC Secure Desktop Prompt Disabled
2id: 0d7ceeef-3539-4392-8953-3dc664912714
3related:
4 - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
5 type: similar
6 - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
7 type: similar
8status: experimental
9description: |
10 Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
11 The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
12 When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
13references:
14 - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
15author: frack113
16date: 2024-05-10
17tags:
18 - attack.privilege-escalation
19 - attack.defense-evasion
20 - attack.t1548.002
21logsource:
22 category: registry_set
23 product: windows
24detection:
25 selection:
26 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
27 Details: 'DWORD (0x00000000)'
28 condition: selection
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager