forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR SigmaHQ#4844 from @frack113 - Update UAC based rules
update: UAC Disabled - update metadata new: UAC Secure Desktop Prompt Disabled new: UAC Notification Disabled --------- Co-authored-by: nasbench <[email protected]>
- Loading branch information
Showing
4 changed files
with
93 additions
and
24 deletions.
There are no files selected for viewing
24 changes: 0 additions & 24 deletions
24
rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml
This file was deleted.
Oops, something went wrong.
30 changes: 30 additions & 0 deletions
30
rules/windows/registry/registry_set/registry_set_uac_disable.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| title: UAC Disabled | ||
| id: 48437c39-9e5f-47fb-af95-3d663c3f2919 | ||
| related: | ||
| - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 | ||
| type: similar | ||
| - id: 0d7ceeef-3539-4392-8953-3dc664912714 | ||
| type: similar | ||
| status: stable | ||
| description: | | ||
| Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. | ||
| references: | ||
| - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
| author: frack113 | ||
| date: 2022/01/05 | ||
| modified: 2024/05/10 | ||
| tags: | ||
| - attack.privilege_escalation | ||
| - attack.defense_evasion | ||
| - attack.t1548.002 | ||
| logsource: | ||
| category: registry_set | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' | ||
| Details: 'DWORD (0x00000000)' | ||
| condition: selection | ||
| falsepositives: | ||
| - Unknown | ||
| level: medium |
32 changes: 32 additions & 0 deletions
32
rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| title: UAC Notification Disabled | ||
| id: c5f6a85d-b647-40f7-bbad-c10b66bab038 | ||
| related: | ||
| - id: 0d7ceeef-3539-4392-8953-3dc664912714 | ||
| type: similar | ||
| - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. | ||
| UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. | ||
| When "UACDisableNotify" is set to 1, UAC prompts are suppressed. | ||
| references: | ||
| - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
| - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ | ||
| author: frack113, Nasreddine Bencherchali (Nextron Systems) | ||
| date: 2024/05/10 | ||
| tags: | ||
| - attack.privilege_escalation | ||
| - attack.defense_evasion | ||
| - attack.t1548.002 | ||
| logsource: | ||
| category: registry_set | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify' | ||
| Details: 'DWORD (0x00000001)' | ||
| condition: selection | ||
| falsepositives: | ||
| - Unknown | ||
| level: medium |
31 changes: 31 additions & 0 deletions
31
rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| title: UAC Secure Desktop Prompt Disabled | ||
| id: 0d7ceeef-3539-4392-8953-3dc664912714 | ||
| related: | ||
| - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 | ||
| type: similar | ||
| - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. | ||
| The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. | ||
| When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. | ||
| references: | ||
| - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
| author: frack113 | ||
| date: 2024/05/10 | ||
| tags: | ||
| - attack.privilege_escalation | ||
| - attack.defense_evasion | ||
| - attack.t1548.002 | ||
| logsource: | ||
| category: registry_set | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop' | ||
| Details: 'DWORD (0x00000000)' | ||
| condition: selection | ||
| falsepositives: | ||
| - Unknown | ||
| level: medium |