{"description": "Enterprise techniques mitigated by User Account Control, ATT&CK mitigation M1052 (v1.2)", "name": "User Account Control (M1052)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL](https://attack.mitre.org/techniques/T1574/001).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL](https://attack.mitre.org/techniques/T1574/001).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.011", "comment": "Changing UAC settings to \"Always Notify\" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000. Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.  (Citation: Executable Installers are Vulnerable)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.005", "comment": "Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000. Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.  (Citation: Executable Installers are Vulnerable)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.010", "comment": "Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000. Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.(Citation: Executable Installers are Vulnerable)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy.\n\nThrough GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.(Citation: GitHub IAD Secure Host Baseline UAC Filtering)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by User Account Control", "color": "#66b1ff"}]}