Disable UAC via EnableLUA Registry Modification

Rule Info

Name
Disable UAC via EnableLUA Registry Modification
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to disable User Account Control (UAC) by modifying the EnableLUA registry key. Disabling UAC lowers system security by allowing processes to run with elevated privileges without user consent. Adversaries may disable UAC to escalate privileges or execute malicious code without triggering security prompts, making detection and containment more difficult.
Reference
https://www.virustotal.com/gui/file/c32554488f4f8bec19e32dd0d4e99ba2f0b8b36f7b7a51f07dc2b45c702d70f7/behavior
Date
2025-03-03 00:00:00
Modified
None
Id
6fc1de62-618a-4f5c-95e0-0409152fd68b
Tags
attack.defense-evasion attack.privilege-escalation attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022