Local Account Token Filtering Disabled-registry
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Local Account Token Filtering Disabled-registry | Standard | Sysmon, Windows | Persistence: Modify Registry (T1112) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects the modification of the 'LocalAccountTokenFilterPolicy' registry key. When this policy is disabled (set to 1), it allows local administrative accounts to perform remote administrative tasks without being restricted by User Account Control (UAC), facilitating lateral movement and remote execution via SMB/WMI.
Why this rule?
Disabling this security feature allows local administrator accounts to perform remote actions with full privileges, facilitating lateral movement. Attackers modify this setting to bypass User Account Control (UAC) restrictions during network propagation. Detection is essential as it indicates preparation for or active lateral movement across your network.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Privilege Escalation → Registry Modification (LocalAccountTokenFilterPolicy) → Lateral Movement → Remote access to administrative shares (C$, ADMIN$).
Impact
Adversaries can use local administrator credentials to move laterally across the network and execute code remotely on systems where this policy has been disabled.
Rule Requirement
Prerequisites
Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Criteria
Action1:
actionname = "Registry Event" AND (( OBJECTNAME endswith "localaccounttokenfilterpolicy" OR OBJECTVALUENAME = "localaccounttokenfilterpolicy" ) AND ( CHANGES = "1" OR INFORMATION = "DWORD (0x00000001)" ) AND ( PROCESSNAME notendswith "deviceenroller.exe" AND PROCESSNAME notendswith "omadmclient.exe" ))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Persistence: Modify Registry (T1112), Defense evasion: Modify Registry (T1112)
Future actions
Known False Positives
System administrators intentionally disabling the policy to allow legacy remote management tools or automated deployment scripts to function.
Next Steps
- Identification: Verify the user account that modified the registry key.
- Analysis: Check if the system is a workstation or a server and if remote administrative access is required.
- Response: Revert the registry value to '0' to enforce UAC restrictions on remote connections if no business justification exists.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
