
Summary
This rule is designed to detect attempts to disable User Account Control (UAC) on Windows systems by monitoring specific changes in the Windows Registry. The rule specifically looks for modifications made to the registry key `\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA`, which is responsible for enabling or disabling UAC. When the `EnableLUA` value is set to `0`, it indicates that UAC has been disabled. This change is commonly associated with privilege escalation attacks, as disabling UAC can allow malicious actors to execute malicious programs with elevated privileges without user consent. This detection seeks to identify such unauthorized registry modifications, providing visibility into potential defense evasion tactics utilized by attackers.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
ATT&CK Techniques
- T1548.002
Created: 2022-01-05