From 982d185c74f99e24660e1a4c42168feec9d4e042 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Fri, 4 Oct 2024 20:02:31 +0100
Subject: [PATCH 1/2] Add signature for checking UAC key

Add signature for checking enableLUA key
---
 modules/signatures/windows/bypass_uac.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py
index ba40b998..47ea1c0c 100644
--- a/modules/signatures/windows/bypass_uac.py
+++ b/modules/signatures/windows/bypass_uac.py
@@ -218,3 +218,27 @@ def run(self):
                 return True
 
         return False
+
+
+class ChecksUACStatus(Signature):
+    name = "checks_uac_status"
+    description = "Checks if UAC (User Access Control) is enabled"
+    severity = 2
+    categories = ["uac"]
+    authors = ["Kevin Ross"]
+    minimum = "0.5"
+    ttps = ["T1548"]  # MITRE v6,7,8
+
+    def run(self):
+        indicators = [
+            ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$",
+
+        ]
+ 
+        for indicator in indicators:
+            match = self.check_key(pattern=indicator, regex=True)
+            if match:
+                self.data.append({"regkey": match})
+                return True
+
+        return False

From dd63af54843244c2343e5026d3064ce171c89631 Mon Sep 17 00:00:00 2001
From: doomedraven <doommedraven@gmail.com>
Date: Sat, 5 Oct 2024 08:49:03 +0200
Subject: [PATCH 2/2] Update bypass_uac.py

---
 modules/signatures/windows/bypass_uac.py | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py
index 47ea1c0c..cae0c877 100644
--- a/modules/signatures/windows/bypass_uac.py
+++ b/modules/signatures/windows/bypass_uac.py
@@ -230,15 +230,9 @@ class ChecksUACStatus(Signature):
     ttps = ["T1548"]  # MITRE v6,7,8
 
     def run(self):
-        indicators = [
-            ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$",
-
-        ]
- 
-        for indicator in indicators:
-            match = self.check_key(pattern=indicator, regex=True)
-            if match:
-                self.data.append({"regkey": match})
-                return True
+        match = self.check_key(pattern=r".*\SOFTWARE\(Wow6432Node\)?Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA$", regex=True)
+        if match:
+            self.data.append({"regkey": match})
+            return True
 
         return False