disable_remote_uac.yml

asset_type: Endpoint
confidence: medium
creation_date: '2017-10-12'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: The search looks for modifications to registry keys that control the
  enforcement of Windows User Account Control (UAC).
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, registry_path
        rule_description: The registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
          was modified.  This registry key is associated with disabling remote UAC
          on Windows.
        rule_title: Registry Key Associated With Disabling Remote UAC Modified on
          $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 30
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as
        lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy"
        by Registry.dest, Registry.registry_key_name Registry.status Registry.user
        Registry.registry_path Registry.action | `drop_dm_object_name(Registry)`'
      suppress:
        suppress_fields: dest, user, registry_path
        suppress_period: 14400s
eli5: This search checks to see if the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
  was modified.  This registry key can be used to disable remote User Account Control.  The
  search returns the count, the first time activity was seen, last time activity was
  seen, the registry path that was modified, the host where the modification took
  place and the user that performed the modification.
entities:
  - dest
how_to_implement: To successfully implement this search, you must be ingesting data
  that records registry activity from your hosts to populate the endpoint data model
  in the registry node. This is typically populated via endpoint detection-and-response
  products, such as Carbon Black, or via other endpoint data sources, such as Sysmon.
  The data used for this search is typically generated via logs that report registry
  modifications.
id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c
investigations:
  - id: fecf2918-670d-4f1c-872b-3d7317a41xf9
    name: Get Registry Activities
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: This registry key may be modified via administrators to implement
  a change in system policy. This type of change should be a very rare occurrence.
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 8
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Defense Evasion
    - Modify Registry
  nist:
    - PR.PT
    - DE.CM
modification_date: '2018-12-03'
name: Disabling Remote User Account Control
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'