curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(threat-hunting): UAC Change

This commit is contained in:
Ming Di Leom 2025-11-30 01:38:23 +00:00
parent 55bdad209d
commit 8368e3879b
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-10-05
updated: 2025-11-30
---
- [Generate ad_users.csv](ldap-ad-users)
@ -112,6 +112,7 @@ updated: 2025-10-05
- [Suspicious Netscaler CLI](suspicious-netscaler-cli)
- [Suspicious Network Settings](suspicious-network-settings)
- [Suspicious WMI](suspicious-wmi)
- [UAC Change](uac-change)
- [User Account Control (UAC) policy change](uac-policy-change)
- [UPnP enablement](upnp-enablement)
- [Unauthorised Reverse Proxy Tunnel](unauthorised-reverse-proxy-tunnel)

12
source/threat-hunting/uac-change.md Normal file
View File

@ -0,0 +1,12 @@
---
title: UAC Change
layout: page
date: 2025-11-30
---
References: [1](https://www.elastic.co/security-labs/roningloader#batch-scripts-to-bypass-uac-and-av-networking)
SPL:
```spl
index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*EnableLUA*"
```