sigmaDRL-1.1from SigmaHQ/sigma
Use of VisualUiaVerifyNative.exe
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml
title: Use of VisualUiaVerifyNative.exe
id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
status: test
description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
- https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\VisualUiaVerifyNative.exe'
- OriginalFileName: 'VisualUiaVerifyNative.exe'
condition: selection
falsepositives:
- Legitimate testing of Microsoft UI parts.
level: medium