EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

MITRE ATT&CK

T1218

Detection Query

selection:
  - Image|endswith: \VisualUiaVerifyNative.exe
  - OriginalFileName: VisualUiaVerifyNative.exe
condition: selection

Author

Christopher Peacock @SecurePeacock, SCYTHE @scythe_io

Created

2022-06-01

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.stealthattack.t1218
Raw Content
title: Use of VisualUiaVerifyNative.exe
id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
status: test
description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\VisualUiaVerifyNative.exe'
        - OriginalFileName: 'VisualUiaVerifyNative.exe'
    condition: selection
falsepositives:
    - Legitimate testing of Microsoft UI parts.
level: medium