TH16114
Detected presence of software components that can tamper with the system security settings.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. System security settings are the first line of defense against the most common attack vectors. For that reason, attackers often aim to tamper with system security settings. Disabling User Access Controls (UAC) and other security settings enables malicious code to execute without being blocked. While the presence of code that tampers with system security settings does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that interact with system security settings. One example of acceptable use for such functions is allowing specialized applications to install as services that monitor the operating system events.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1562.001 - Disable or Modify Tools.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1562.001 - Disable or Modify Tools (External resource - Mitre ATT&CK documentation)
- User Account Control (External resource - Microsoft)