Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Abuse Elevation Control Mechanism Bypass User Account Control Privilege Escalation Medium

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create image_path
process create command_line

Implementations

Detect disabling of UAC via reg.exe (Splunk, Sysmon native)

This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.

sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")

Detect disabling of UAC via reg.exe (Pseudocode, Sysmon native)

This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.

processes = search Process:Create
cmd_processes = filter processes where (
                (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
                )