curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(threat-hunting): User Account Control (UAC) policy change

This commit is contained in:
Ming Di Leom 2025-08-24 10:50:38 +00:00
parent dcda1a17b0
commit c117b84a68
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-08-09
updated: 2025-08-24
---
- [Generate ad_users.csv](ldap-ad-users)
@ -110,6 +110,7 @@ updated: 2025-08-09
- [Suspicious Netscaler CLI](suspicious-netscaler-cli)
- [Suspicious Network Settings](suspicious-network-settings)
- [Suspicious WMI](suspicious-wmi)
- [User Account Control (UAC) policy change](uac-policy-change)
- [UPnP enablement](upnp-enablement)
- [Unauthorised Reverse Proxy Tunnel](unauthorised-reverse-proxy-tunnel)
- [Unauthorised Computer Account Creation](unauthorised-computer-account-creation)

18
source/threat-hunting/uac-policy-change.md Normal file
View File

@ -0,0 +1,18 @@
---
title: User Account Control (UAC) policy change
layout: page
date: 2025-08-24
---
References: [1](https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/#configuration-changes)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="reg.exe" Processes.process IN ("*disablerestrictedadmin*", "*LocalAccountTokenFilterPolicy*", "*UseLogonCredential*") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
```
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" ((Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Policies\\system*" Registry.registry_value_name="LocalAccountTokenFilterPolicy") OR (Registry.registry_path="*\\CurrentControlSet\Control\SecurityProviders\WDigest*" Registry.registry_value_name="UseLogonCredential")) BY Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.user
| rename Registry.* AS *
```