An adversary may disable User Access Control to bypass local security restrictions and gain unauthorized access to system resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation or persistence tactics that could lead to more severe compromises.
YARA Rule
rule disable_uax {
meta:
author = "x0r"
description = "Disable User Access Control"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Microsoft\\Security Center" nocase
$r1 = "UACDisableNotify"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: System Maintenance Task
Description: A scheduled task runs to disable User Access Control temporarily during system maintenance to apply updates or patches.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"
Scenario: Security Policy Change via Group Policy
Description: An administrator modifies the Group Policy to disable User Access Control as part of a security policy change.
Filter/Exclusion: process.name != "gpupdate.exe" or process.parent.name != "services.msc"
Scenario: Automated Compliance Check
Description: A compliance tool or script runs to disable User Access Control to meet a regulatory requirement during an audit.
Filter/Exclusion: process.name != "compliance_tool.exe" or process.parent.name != "compliance_scheduler"
Scenario: User Account Lockout Remediation
Description: An admin disables User Access Control to bypass account lockout for a user during troubleshooting.
Filter/Exclusion: process.name != "net.exe" or process.parent.name != "cmd.exe"
Scenario: Temporary Disable for Application Compatibility
Description: A developer disables User Access Control temporarily to test an application that is incompatible with it.
Filter/Exclusion: process.name != "explorer.exe" or process.parent.name != "cmd.exe" and process.args != "/c disable_uac.bat"