https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513247#M2742 <P>Hey Neelrohit,&nbsp;</P> <P>&nbsp;</P> <P>thank you, I will tweak the BIOCs as you mentioned.</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 29 Aug 2022 13:01:43 GMT RFeyertag 2022-08-29T13:01:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513182#M2732 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>I tested to deactivate my UAC, which was possible without any alert.&nbsp;</P> <P>In my opinion there should be an alert triggerd. What do you think?&nbsp;</P> <P>&nbsp;</P> <P><A href="https://twitter.com/Computeus7/status/1562497080048119808" target="_blank">https://twitter.com/Computeus7/status/1562497080048119808</A></P> <P>Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Sat, 27 Aug 2022 21:57:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513182#M2732 RFeyertag 2022-08-27T21:57:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513190#M2734 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;,</P> <P>&nbsp;</P> <P>Cortex XDR has many Out of the Box BIOC rules created for UAC bypass events and it generates the alerts on the same. However these rules are detection rules. In the case of the command line posted, XDR collected the event log, however, the BIOC rules designed are not in this manner and you can create a copy of the already existing BIOC rule "T<STRONG>ampering with the Windows User Account Controls (UAC) configuration</STRONG>" and tweak the rule within it with the below:</P> <P>&nbsp;</P> <P>Registry [ action type = all AND registry key name = *SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA* ] AND Host [ host os = windows ]</P> <P>&nbsp;</P> <P>The above rule can generate an alert for you now.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-08-28 at 9.51.08 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43397iF01D9E46B7AE42C7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Screenshot 2022-08-28 at 9.51.08 AM.png" alt="Screenshot 2022-08-28 at 9.51.08 AM.png" /></span></P> <P> </P> Sun, 28 Aug 2022 01:51:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513190#M2734 neelrohit 2022-08-28T01:51:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513247#M2742 <P>Hey Neelrohit,&nbsp;</P> <P>&nbsp;</P> <P>thank you, I will tweak the BIOCs as you mentioned.</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 29 Aug 2022 13:01:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/deactivating-uac-should-be-alerted/m-p/513247#M2742 RFeyertag 2022-08-29T13:01:43Z