LoFP / this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.

Techniques

• T1548
• T1548.002

Sample rules

Disabling Remote User Account Control

• source: splunk
• technicques:
  • T1548.002
  • T1548

Description

The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA where the value is set to 0x00000000. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action 
| `drop_dm_object_name(Registry)` 
| `disabling_remote_user_account_control_filter`