UadPlugin (Legacy)

UadPlugin.dll is the legacy rule-based anomaly and user-activity detector in GCIS. Current stacks still ship it for compatibility, but the primary modern detection path is UadMLPlugin.

File Info

Property	Value
File	UadPlugin.dll
Size	14,990,368 bytes
Architecture	x64 (AMD64)
Build PDB Path	C:\builds\gfn\security\gcis\out\x86_64-windows-release\UadPlugin\UadPlugin.pdb
Export	NvPluginGetInfo

Status

WARNING

Deprecated for newest deployments. Keep for backward compatibility, investigations, and transition seats that still rely on rule-based UAD behavior.

Internal Components (Observed)

• UadPlugin
• UadPluginContext
• UadPluginMessaging
• SysmonWatcher
• NetworkWatcher
• GCISOnSeatPatchingMessage

Detection Domains

1) Sysmon/Event Detection

• Subscribes to process creation/termination and network event streams.
• Builds render contexts per event type and applies rule evaluation.

Evidence:

• GSEC_UAD_Error_CreateRenderContextForSysmonProcessCreationEventsFailed
• GSEC_UAD_Error_CreateRenderContextForSysmonProcessTerminationEventsFailed
• GSEC_UAD_Error_FailedToSubscribeToSysmonEvents

2) Network/Adapter Integrity Detection

• Monitors adapter/socket/unicast/gateway/mac-level changes.
• Flags suspicious socket payload/family/structure anomalies.

Examples from error surface:

• GSEC_UAD_Error_DetectedSocketStructureLengthChange
• GSEC_UAD_Error_DetectedSocketFamilyChange
• GSEC_UAD_Error_DetectedAdapterFlagsChange
• GSEC_UAD_Error_DetectedAdapterRemoved
• GSEC_UAD_Error_SuspiciousAdapterChangeWasDetected

3) Behavior/Rate Threshold Detection

• Process and network burst-rate checks.
• Excessive login/password-attempt style checks for targeted workflows.

Examples:

• GSEC_UAD_Error_ProcessExcessiveNetworkActivityError
• GSEC_UAD_Error_TooManyProcessesError
• GSEC_UAD_Error_SuspiciousBurstNetworkActivity
• GSEC_UAD_Error_AttemptToEnterInvalidSteamPasswordDetected

4) On-seat Patching Messages

• Parses dedicated patching domain messages.
• Tracks patching context fields for policy decisions.

Proto indicators:

• GCISOnSeatPatchingDef.proto
• GCISOnSeatPatchingMessage.filePath
• GCISOnSeatPatchingMessage.image
• GCISOnSeatPatchingMessage.user

Runtime Flow (How It Works)

1) Init

• Loads UAD rules/config from seat/userdata.
• Starts sysmon and network watchers.
• Registers message handlers.

2) Collect

• Receives event payloads and current state snapshots.
• Normalizes process/network fields.

3) Decide

• Applies rule thresholds and exception logic.
• Maps matches to GSEC_UAD_Error_* outcome families.

4) Enforce

• Reports violations to GCIS.
• Triggers session termination path for severe detections.

Error and Warning Families

Warnings

• GSEC_UAD_Warning_InvalidNetworkConnectionProtocolInEvent
• GSEC_UAD_Warning_ServiceDisarmed

Errors

• Config/rule parsing errors
• Sysmon subscription/rendering errors
• Network-adapter and socket anomaly errors
• Patching message parse errors
• Violation reporting / termination errors

UadPlugin vs UadMLPlugin

Area	UadPlugin (Legacy)	UadMLPlugin (Current Primary)
Decision model	Rule-based thresholds and signatures	Model-based inference (LightGBM + SageMaker)
Event sources	Sysmon + network adapter/socket watchers	Perfmon + feature extraction + model inference
Explainability	High (explicit rule names/errors)	Medium (scores/features/model output)
Deployment intent	Compatibility and transition	Modern production posture

Migration Guidance

1. Keep UAD enabled only where legacy policy parity is required.
2. Prefer UadML as the primary anomaly source in latest stacks.
3. During migration, compare UAD rule hits vs UadML inference outputs to tune thresholds and avoid double enforcement.