title: Use of VisualUiaVerifyNative.exe
id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
status: experimental
description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022/06/01
tags:
    - attack.defense_evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\VisualUiaVerifyNative.exe'
        - OriginalFileName: 'VisualUiaVerifyNative.exe'
    condition: selection
falsepositives:
    - Legitimate testing of Microsoft UI parts.
level: medium