Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Abuse Elevation Control Mechanism Bypass User Access Control Privilege Escalation Medium

Data Model References

Object Action Field
process create image_path
process create command_line

Applicable Sensors

Implementations

Detect disabling of UAC via reg.exe (Splunk, Sysmon native)

This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.

sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")

Detect disabling of UAC via reg.exe (Pseudocode, Sysmon native)

This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.

processes = search Process:Create
cmd_processes = filter processes where (
                (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
                )