From 8368e3879b716a769fcc5f15d71b64344d9d7b60 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 30 Nov 2025 01:38:23 +0000
Subject: [PATCH] feat(threat-hunting): UAC Change

---
 source/threat-hunting/index.md      |  3 ++-
 source/threat-hunting/uac-change.md | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 source/threat-hunting/uac-change.md

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 4b908e8..0e6e561 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-10-05
+updated: 2025-11-30
 ---
 
 - [Generate ad_users.csv](ldap-ad-users)
@@ -112,6 +112,7 @@ updated: 2025-10-05
 - [Suspicious Netscaler CLI](suspicious-netscaler-cli)
 - [Suspicious Network Settings](suspicious-network-settings)
 - [Suspicious WMI](suspicious-wmi)
+- [UAC Change](uac-change)
 - [User Account Control (UAC) policy change](uac-policy-change)
 - [UPnP enablement](upnp-enablement)
 - [Unauthorised Reverse Proxy Tunnel](unauthorised-reverse-proxy-tunnel)
diff --git a/source/threat-hunting/uac-change.md b/source/threat-hunting/uac-change.md
new file mode 100644
index 0000000..ddea261
--- /dev/null
+++ b/source/threat-hunting/uac-change.md
@@ -0,0 +1,12 @@
+---
+title: UAC Change
+layout: page
+date: 2025-11-30
+---
+
+References: [1](https://www.elastic.co/security-labs/roningloader#batch-scripts-to-bypass-uac-and-av-networking)
+SPL:
+
+```spl
+index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*EnableLUA*"
+```