cancel
Showing results for 
Search instead for 
Did you mean: 
c14us
Level 7

Custom Rules: UAC logging

Hi All

Would like some input on logging of UAC usage (presume some of you have had some fun with those).

Have made some 'around the bush' rule by utilizing consent.exe. But I really would like to narrow it a bit down.

These two rules will only show when a UAC i presented, and do not tell if it has been approved/validated.

The first rule simply make a read check on the wav file used for UAC. This rule will feedback the user credentials initiating administrative elevation.

The second rule check will make a run action on consent.exe (this will svchost do, as a part of the rather long complicated proces of the rights elevation.)

They look like this:

Rule {

tag "Windows User Account Control.wav"

Class Files

Id 4021

level 3

files { Include "C:\\Windows\\Media\\Windows user Account Control.wav" }

Executable { Include { -desc "CONSENT UI FOR ADMINISTRATIVE APPLICATIONS" }

}

directives files:read

}

Rule {

tag "Consent yadayada"

Class Program

Id 4020

level 3

Target_Executable { Include { -sdn "*" -desc "CONSENT UI FOR ADMINISTRATIVE APPLICATIONS" }

}

directives program:run

}

If anyone has used several hours digging deeper into the elevation process, please share your knowledge. What I of course would like to end up with, is the logging of the crucial step, where consent (via multiple steps) executes the selected program with the admin token (and then end up with the possibility to allow and deny)

Best Regards

Claus

0 Kudos