Teramind's Registry rules provide powerful real-time monitoring and control over the Windows registry, allowing security and IT teams to detect and prevent tampering with critical system configurations, ensuring system integrity and mitigating the risk posed by insider threats or malicious scripts.

This example rule is configured to detect and notify an administrator of any attempt to modify the registry key associated with disabling the User Account Control (UAC) functionality.

1. Assign a Rule Name. For example, “UAC Injection”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Activity” for Rule Type.

4. Select “Registry” under Select the type of activities.

5. Turn on the Inherit targets from Parent Policy option to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

8. A default condition block, "Condition 1," should already be added to the rule. Configure the condition as follows:

9. Add the Key criterion by clicking the +Add button.

10. In the Key field, enter "Policies\System". Then, select the Contains condition.

11. Add the Name criterion by clicking the +Add button.

12. In the Name field, enter "EnableLUA". Then, select the Contains condition.

13. Add the Value criterion by clicking the +Add button.

14. In the Value field, enter "0". Then, select the Equals condition.

15. Select the Notify action.

16. Select user(s) you want to notify when the rule is violated. In this example, we selected "OP Admin".

This rule establishes a critical line of defense against Privilege Escalation. Detecting the attempt to disable User Account Control (UAC) immediately exposes the most common technique attackers and malicious insiders use to gain persistent, silent administrative access across a network.

The rule utilizes three criteria: The Key (\Policies\System) and Name (EnableLUA) ensure we are targeting the specific functionality within the registry that controls UAC. The Value criterion, set to 0 ensures that the rule only triggers on the exact payload that disables UAC, thereby confirming malicious intent and eliminating false positives.

The Notify action ensures an operations administrator is instantly alerted when this critical activity is detected, allowing the administrator to quickly assess the user's intent and take timely disciplinary or remedial action.