diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py index ba40b998..47ea1c0c 100644 --- a/modules/signatures/windows/bypass_uac.py +++ b/modules/signatures/windows/bypass_uac.py @@ -218,3 +218,27 @@ def run(self): return True return False + + +class ChecksUACStatus(Signature): + name = "checks_uac_status" + description = "Checks if UAC (User Access Control) is enabled" + severity = 2 + categories = ["uac"] + authors = ["Kevin Ross"] + minimum = "0.5" + ttps = ["T1548"] # MITRE v6,7,8 + + def run(self): + indicators = [ + ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$", + + ] + + for indicator in indicators: + match = self.check_key(pattern=indicator, regex=True) + if match: + self.data.append({"regkey": match}) + return True + + return False