Techniques
Sample rules
Disable UAC Remote Restriction
- source: splunk
- technicques:
- T1548.002
Description
The following analytic detects the modification of the registry to disable UAC remote restriction by setting the “LocalAccountTokenFilterPolicy” value to “0x00000001”. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path “\CurrentVersion\Policies\System”. This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" Registry.registry_value_data="0x00000001" ) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `disable_uac_remote_restriction_filter`