curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/uac-change.md

13 lines
363 B
Markdown
Raw Permalink Blame History

---
title: UAC Change
layout: page
date: 2025-11-30
---
References: [1](https://www.elastic.co/security-labs/roningloader#batch-scripts-to-bypass-uac-and-av-networking)
SPL:
```spl
index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*EnableLUA*"
```
Reference in New Issue View Git Blame Copy Permalink