UAC Notification Disabled

Rule Info

Name
UAC Notification Disabled
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Description
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
Date
2024-05-10 00:00:00
Modified
None
Id
c5f6a85d-b647-40f7-bbad-c10b66bab038
Tags
attack.privilege-escalation attack.defense-evasion attack.t1548.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c5f6a85d-b647-40f7-bbad-c10b66bab038

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5249 from @nasbench - Promote older rules status from `experimental` to `test`
2025-04-17
29ad6f961
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
frack113
Merge PR #4844 from @frack113 - Update UAC based rules
2024-05-10
7cdcb7605
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022