security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml
T
frack113 1f8e37351e order yaml
2022-10-28 15:06:36 +02:00

26 lines
1.1 KiB
YAML
Raw Blame History

title: Use of VisualUiaVerifyNative.exe
id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
status: experimental
description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022/06/01
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\VisualUiaVerifyNative.exe'
- OriginalFileName: 'VisualUiaVerifyNative.exe'
condition: selection
falsepositives:
- Legitimate testing of Microsoft UI parts.
level: medium
Reference in New Issue View Git Blame Copy Permalink