Disabling Remote User Account Control

Description

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Privilege Escalation
Defense Evasion

MITRE ATT&CK Techniques

Abuse Elevation Control Mechanism

Bypass User Account Control

MITRE Threat Groups

APT29
APT37
BRONZE BUTLER
Cobalt Group
Honeybee
MuddyWater
Patchwork
Threat Group-3390

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Disabling Remote User Account Control Help

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.

   Search

Open in Search