0 Replies Latest reply on Sep 29, 2015 7:47 AM by c14us

    Custom Rules: UAC logging

    c14us

      Hi All

       

      Would like some input on logging of UAC usage (presume some of you have had some fun with those).

       

      Have made some 'around the bush' rule by utilizing consent.exe. But I really would like to narrow it a bit down.

      These two rules will only show when a UAC i presented, and do not tell if it has been approved/validated.

      The first rule simply make a read check on the wav file used for UAC. This rule will feedback the user credentials initiating administrative elevation.

      The second rule check will make a run action on consent.exe (this will svchost do, as a part of the rather long complicated proces of the rights elevation.)

      They look like this:

       

      Rule {

      tag "Windows User Account Control.wav"

      Class Files

      Id 4021

      level 3

      files { Include "C:\\Windows\\Media\\Windows user Account Control.wav" }

      Executable { Include { -desc "CONSENT UI FOR ADMINISTRATIVE APPLICATIONS" }

      }

      directives files:read

      }

       

       

      Rule {

      tag "Consent yadayada"

      Class Program

      Id 4020

      level 3

      Target_Executable { Include { -sdn "*" -desc "CONSENT UI FOR ADMINISTRATIVE APPLICATIONS" }

      }

      directives program:run

      }

       

      If anyone has used several hours digging deeper into the elevation process, please share your knowledge. What I of course would like to end up with, is the logging of the crucial step, where consent (via multiple steps) executes the selected program with the admin token (and then end up with the possibility to allow and deny)

       

      Best Regards

      Claus