From 3397666c5caad84fc0e7f315b518b094e7dcfaea Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Tue, 3 Oct 2023 02:14:36 +0530
Subject: [PATCH] New Atomic Test: PromptOnSecureDesktop (#2549)

* New Atomic Test: PromptOnSecureDesktop

* Update T1548.002.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1548.002/T1548.002.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml
index f5b21e49..6c77003b 100644
--- a/atomics/T1548.002/T1548.002.yaml
+++ b/atomics/T1548.002/T1548.002.yaml
@@ -652,3 +652,17 @@ atomic_tests:
     cleanup_command: |
       Remove-Item #{commandpath} -Recurse -Force
     name: powershell
+- name: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key
+  description: |
+    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. 
+    This setting ensures that the elevation prompt is only used in secure desktop mode.
+    Disable User Account Conrol (UAC) for secure desktop by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop to 0.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
+    cleanup_command: |
+      Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
+    name: powershell
+    elevation_required: true