diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml deleted file mode 100644 index 23ed376e407..00000000000 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Disable UAC Using Registry -id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -status: experimental -description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe -author: frack113 -date: 2022/01/05 -modified: 2023/08/17 -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 -logsource: - category: registry_set - product: windows -detection: - selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - Details: DWORD (0x00000000) - condition: selection -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable.yml b/rules/windows/registry/registry_set/registry_set_uac_disable.yml new file mode 100644 index 00000000000..00b2609e377 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_uac_disable.yml @@ -0,0 +1,30 @@ +title: UAC Disabled +id: 48437c39-9e5f-47fb-af95-3d663c3f2919 +related: + - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 + type: similar + - id: 0d7ceeef-3539-4392-8953-3dc664912714 + type: similar +status: stable +description: | + Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md +author: frack113 +date: 2022/01/05 +modified: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml new file mode 100644 index 00000000000..a03d96d232d --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml @@ -0,0 +1,32 @@ +title: UAC Notification Disabled +id: c5f6a85d-b647-40f7-bbad-c10b66bab038 +related: + - id: 0d7ceeef-3539-4392-8953-3dc664912714 + type: similar + - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 + type: similar +status: experimental +description: | + Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. + UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. + When "UACDisableNotify" is set to 1, UAC prompts are suppressed. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md + - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml new file mode 100644 index 00000000000..33007656a73 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -0,0 +1,31 @@ +title: UAC Secure Desktop Prompt Disabled +id: 0d7ceeef-3539-4392-8953-3dc664912714 +related: + - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 + type: similar + - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 + type: similar +status: experimental +description: | + Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. + The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. + When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md +author: frack113 +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: medium