M1052: User Account Control
User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:
Enable UAC Globally:
- Ensure UAC is enabled through Group Policy by setting `User Account Control: Run all administrators in Admin Approval Mode` to `Enabled`.
Require Credential Prompt:
- Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (`User Account Control: Behavior of the elevation prompt`).
Restrict Built-in Administrator Account:
Set `Admin Approval Mode` for the built-in Administrator account to `Enabled` in Group Policy.
Secure the UAC Prompt:
- Configure UAC prompts to display on the secure desktop (`User Account Control: Switch to the secure desktop when prompting for elevation`).
Prevent UAC Bypass:
- Block untrusted applications from triggering UAC prompts by configuring `User Account Control: Only elevate executables that are signed and validated`. - Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events:
- Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
*Tools for Implementation*
Built-in Windows Tools:
- Group Policy Editor: Configure UAC settings centrally for enterprise environments. - Registry Editor: Modify UAC-related settings directly, such as `EnableLUA` and `ConsentPromptBehaviorAdmin`.
Endpoint Security Solutions:
- Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques. - Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools:
- Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC. - EventSentry: Monitors Windows Event Logs for UAC-related alerts.
Analyst context for executives and security teams
User Account Control is a Windows safeguard that makes privilege elevation harder by requiring approval or administrator credentials before sensitive operating system changes occur. For leaders, the value is not simply “turn UAC on”; it is validating that UAC is centrally configured, prompts are strong enough to resist casual abuse, and SOC teams can see suspicious elevation attempts that may indicate privilege escalation, persistence, or lateral movement risk.
Executive priority
Prioritize UAC as a baseline Windows control for reducing privilege escalation risk and strengthening audit evidence around administrative actions. It is especially relevant where local administrator rights, legacy applications, installer behavior, or service permissions create paths for adversaries to elevate privileges or hijack execution flow. Executives should ask whether UAC policy is enforced through Group Policy, whether exceptions are documented, and whether incident responders can quickly review elevation-related process activity during an investigation.
Technical view
For defenders, validate the UAC configuration against the supplied MITRE measures: enable Admin Approval Mode globally, require credential prompts for elevation, enable Admin Approval Mode for the built-in Administrator account, use secure desktop prompting, and only elevate signed and validated executables where appropriate. Relationship context makes this most relevant to Windows privilege escalation and persistence behaviors including Bypass User Account Control, Application Shimming, Pass the Hash, and Windows execution-flow hijacking via weak installer or service file permissions. SOC teams should confirm process creation visibility, especially Windows Event ID 4688 and Sysmon process creation data where deployed, and tune review workflows for suspicious processes attempting elevation rather than treating UAC prompts as standalone proof of malicious activity.
Likely telemetry
- Windows process creation events, including Event ID 4688 where enabled
- Sysmon process creation telemetry where deployed
- Windows Event Viewer records related to UAC elevation activity
- Group Policy configuration state for UAC settings
- Registry configuration values related to UAC, including EnableLUA and ConsentPromptBehaviorAdmin
Detection direction
- Confirm that process creation logging is actually enabled and retained on Windows systems where UAC enforcement is expected.
- Correlate elevation attempts with parent process, command line, user context, integrity level where available, and whether the account is a local administrator.
- Tune for suspicious elevation chains instead of alerting on every legitimate administrator prompt, which can create high false-positive volume.
- Review UAC-related activity alongside related ATT&CK behaviors: application shimming, UAC bypass, pass-the-hash lateral movement, and execution hijacking through weak installer or service permissions.
- Validate visibility gaps on endpoints without Sysmon, endpoint security telemetry, or centralized Windows event collection.
Mitigation priorities
- Enforce UAC centrally through Group Policy, including Admin Approval Mode for administrators.
- Require administrative credential prompts for elevation rather than relying only on user confirmation where operationally feasible.
- Enable secure desktop prompting to reduce prompt tampering risk.
- Restrict the built-in Administrator account by enabling Admin Approval Mode for it.
- Configure elevation to favor signed and validated executables where appropriate, and review exceptions for legacy software.
Analyst notes and limits
This mitigation has strong operational value because several related ATT&CK techniques depend on abusing or bypassing privilege elevation controls or hijacking execution on Windows systems. The most useful assessment is evidence-based: compare intended Group Policy settings with endpoint reality, then confirm that SOC and IR teams can reconstruct elevation attempts from process telemetry.
The ATT&CK mitigation object does not provide a formal detection section and its platform field is not specified, although the official description is explicitly about Microsoft Windows UAC. Local policy requirements, legacy application compatibility, endpoint logging configuration, and administrative operating model must be assessed before deciding how strict UAC settings should be.
User Account Control
User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:
Enable UAC Globally:
- Ensure UAC is enabled through Group Policy by setting `User Account Control: Run all administrators in Admin Approval Mode` to `Enabled`.
Require Credential Prompt:
- Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (`User Account Control: Behavior of the elevation prompt`).
Restrict Built-in Administrator Account:
Set `Admin Approval Mode` for the built-in Administrator account to `Enabled` in Group Policy.
Secure the UAC Prompt:
- Configure UAC prompts to display on the secure desktop (`User Account Control: Switch to the secure desktop when prompting for elevation`).
Prevent UAC Bypass:
- Block untrusted applications from triggering UAC prompts by configuring `User Account Control: Only elevate executables that are signed and validated`. - Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events:
- Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
*Tools for Implementation*
Built-in Windows Tools:
- Group Policy Editor: Configure UAC settings centrally for enterprise environments. - Registry Editor: Modify UAC-related settings directly, such as `EnableLUA` and `ConsentPromptBehaviorAdmin`.
Endpoint Security Solutions:
- Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques. - Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools:
- Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC. - EventSentry: Monitors Windows Event Logs for UAC-related alerts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1574 | Hijack Execution Flow | Turn off UAC's privilege elevation for standard users |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.CitationGitHub IAD Secure Host Baseline UAC Filtering |
| Enterprise | T1546.011 | Application Shimming Sub-technique | Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions. |
| Enterprise | T1574.005 | Executable Installer File Permissions Weakness Sub-technique | Turn off UAC's privilege elevation for standard users |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
| Enterprise | T1574.010 | Services File Permissions Weakness Sub-technique | Turn off UAC's privilege elevation for standard users |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b9e3877ef51d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1052Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.