From 982d185c74f99e24660e1a4c42168feec9d4e042 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 4 Oct 2024 20:02:31 +0100 Subject: [PATCH] Add signature for checking UAC key Add signature for checking enableLUA key --- modules/signatures/windows/bypass_uac.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py index ba40b998..47ea1c0c 100644 --- a/modules/signatures/windows/bypass_uac.py +++ b/modules/signatures/windows/bypass_uac.py @@ -218,3 +218,27 @@ def run(self): return True return False + + +class ChecksUACStatus(Signature): + name = "checks_uac_status" + description = "Checks if UAC (User Access Control) is enabled" + severity = 2 + categories = ["uac"] + authors = ["Kevin Ross"] + minimum = "0.5" + ttps = ["T1548"] # MITRE v6,7,8 + + def run(self): + indicators = [ + ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$", + + ] + + for indicator in indicators: + match = self.check_key(pattern=indicator, regex=True) + if match: + self.data.append({"regkey": match}) + return True + + return False