Skip to content
Threat Feed
medium advisory

Disabling User Account Control via Registry Modification

Attackers may disable User Account Control (UAC) by modifying specific registry values, allowing them to execute code with elevated privileges, bypass security restrictions, and potentially escalate privileges on Windows systems.

User Account Control (UAC) is a security feature in Windows that helps mitigate the impact of malware by requiring administrative privileges for certain actions. Attackers may attempt to disable or bypass UAC to execute code with elevated privileges without user consent. This is often achieved by modifying specific registry values related to UAC settings. The registry values include EnableLUA, ConsentPromptBehaviorAdmin, and PromptOnSecureDesktop. Successful modification of these values to 0 or 0x00000000 effectively disables UAC, allowing attackers to perform privileged actions without triggering UAC prompts. This technique has been observed in conjunction with malware such as the Remcos RAT.

Attack Chain

  1. Initial Access: An attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.
  2. Privilege Escalation: The attacker attempts to escalate privileges to perform actions requiring administrative rights.
  3. Registry Modification: The attacker modifies the registry values EnableLUA, ConsentPromptBehaviorAdmin, and/or PromptOnSecureDesktop located under HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\.
  4. Disable UAC: By setting these registry values to 0 or 0x00000000, the attacker disables UAC.
  5. Code Execution: The attacker executes malicious code, leveraging the now-disabled UAC to bypass security restrictions.
  6. Persistence: The attacker establishes persistence, ensuring continued access to the compromised system.
  7. Lateral Movement: The attacker moves laterally to other systems within the network, leveraging the compromised system as a launchpad.
  8. Objective Completion: The attacker achieves their final objective, such as data exfiltration, system disruption, or ransomware deployment.

Impact

Disabling UAC allows attackers to execute code with elevated privileges, bypassing security restrictions. This can lead to a complete compromise of the affected system, allowing attackers to install malware, modify system settings, steal sensitive data, and potentially move laterally to other systems within the network. The rule has a risk score of 47.

Recommendation

  • Monitor registry modifications for changes to EnableLUA, ConsentPromptBehaviorAdmin, and PromptOnSecureDesktop with the Sigma rule provided.
  • Enable Sysmon registry event logging to capture registry modifications.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Detection coverage 2

UAC Disable via Registry Modification

medium

Detects changes to registry values that disable User Account Control (UAC).

sigma tactics: defense_evasion, privilege_escalation techniques: T1112, T1548.002, T1562.001 sources: registry_set, windows

UAC Registry Bypass - EnableLUA

medium

Detects changes specifically to EnableLUA registry key

sigma tactics: defense_evasion, privilege_escalation techniques: T1112, T1548.002, T1562.001 sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →