Closed frack113 closed 1 month ago
Add new test 24 and 25 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
update: UAC Disabled - update metadata new: UAC Secure Desktop Prompt Disabled new: UAC Notification Disabled
<EventData> <Data Name="RuleName">technique_id=T1548.002,technique_name=Bypass User Access Control</Data> <Data Name="EventType">SetValue</Data> <Data Name="UtcTime">2024-05-05 09:37:36.598</Data> <Data Name="ProcessGuid">{095b1fc8-535e-6637-f101-000000002500}</Data> <Data Name="ProcessId">4440</Data> <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data> <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</Data> <Data Name="Details">DWORD (0x00000000)</Data> <Data Name="User">LAB\admin</Data> </EventData>
<EventData> <Data Name="RuleName">technique_id=T1548.002,technique_name=Bypass User Access Control</Data> <Data Name="EventType">SetValue</Data> <Data Name="UtcTime">2024-05-05 09:30:28.116</Data> <Data Name="ProcessGuid">{095b1fc8-51b4-6637-d601-000000002500}</Data> <Data Name="ProcessId">2888</Data> <Data Name="Image">C:\WINDOWS\system32\reg.exe</Data> <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Security Center\UACDisableNotify</Data> <Data Name="Details">DWORD (0x00000001)</Data> <Data Name="User">LAB\admin</Data> </EventData>
Summary of the Pull Request
Add new test 24 and 25 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
Changelog
update: UAC Disabled - update metadata new: UAC Secure Desktop Prompt Disabled new: UAC Notification Disabled
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions