Skip to content
Threat Feed
medium advisory

Local Account TokenFilter Policy Modification

An adversary modifies the LocalAccountTokenFilterPolicy registry key to weaken security controls and enable privilege escalation, allowing them to bypass User Account Control (UAC) and gain elevated privileges remotely.

Attackers modify the LocalAccountTokenFilterPolicy registry setting to weaken system security. This policy, when set to '1', grants remote connections from local administrators full high-integrity tokens, effectively bypassing User Account Control (UAC). This allows attackers to remotely execute commands with elevated privileges. This technique can be used for lateral movement and defense evasion. The modification of this registry key indicates a potential attempt to facilitate lateral movement or evade defenses within a Windows environment.

Attack Chain

  1. The attacker gains initial access to the target system, potentially through compromised credentials or exploitation of a vulnerability.
  2. The attacker uses an administrative account or exploits a privilege escalation vulnerability to obtain necessary rights to modify the registry.
  3. The attacker modifies the LocalAccountTokenFilterPolicy registry value located at HKLM\*\LocalAccountTokenFilterPolicy to 1 or 0x00000001.
  4. The system's security posture is weakened due to the policy change, enabling remote connections from local administrators to use full high-integrity tokens.
  5. The attacker initiates a remote connection to the system, utilizing a local administrator account.
  6. The attacker is granted full high-integrity tokens during authentication, bypassing UAC restrictions.
  7. The attacker executes malicious commands or deploys malware with elevated privileges remotely.
  8. The attacker achieves lateral movement and gains control over additional systems within the network or impairs defenses.

Impact

Successful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass UAC and gain elevated privileges remotely. This can lead to lateral movement, data exfiltration, or system compromise. The impact is significant, as it weakens the system's security posture and allows attackers to operate with elevated privileges, potentially affecting all systems where the modified policy is in effect.

Recommendation

  • Enable Sysmon registry event logging to monitor changes to the LocalAccountTokenFilterPolicy registry key (rule: "Detect Local Account TokenFilter Policy Modification").
  • Deploy the Sigma rule "Detect Local Account TokenFilter Policy Modification" to your SIEM and tune it for your environment.
  • Investigate any detected modifications of the LocalAccountTokenFilterPolicy registry key, identifying the user and process responsible for the change, as outlined in the investigation guide.
  • Regularly review and audit registry settings related to security policies to ensure they align with organizational security standards.

Detection coverage 2

Detect Local Account TokenFilter Policy Modification

medium

Detects modifications to the LocalAccountTokenFilterPolicy registry key, indicating a potential attempt to bypass UAC and gain elevated privileges.

sigma tactics: defense_evasion, lateral_movement techniques: T1550.002, T1562 sources: registry_set, windows

Detect Local Account TokenFilter Policy Creation

medium

Detects creation of the LocalAccountTokenFilterPolicy registry key, which is not present by default, indicating a potential attempt to bypass UAC and gain elevated privileges.

sigma tactics: defense_evasion, lateral_movement techniques: T1550.002, T1562 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →