this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.

t1548
t1548.002
endpoint
splunk

Techniques

T1548
T1548.002

Sample rules

Disabling Remote User Account Control

source: splunk
technicques:
- T1548.002
- T1548

Description

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action 
| `drop_dm_object_name(Registry)` 
| `disabling_remote_user_account_control_filter`