Detectionmediumtest

Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christopher Peacock, SCYTHECreated Wed Jun 01b30a8bc5-e21b-4ca2-9420-0a94019ac56awindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\VisualUiaVerifyNative.exe'
        - OriginalFileName: 'VisualUiaVerifyNative.exe'
    condition: selection

False Positives

Legitimate testing of Microsoft UI parts.

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

b30a8bc5-e21b-4ca2-9420-0a94019ac56a

Status

test

Level

medium

Type

Detection

Created

Wed Jun 01

Author

Christopher Peacock, SCYTHE

Path

rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub