Bypass UAC via Event Viewer

  1[metadata]
  2creation_date = "2020/03/17"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
 11elevated permissions.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Bypass UAC via Event Viewer"
 28risk_score = 73
 29rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62"
 30severity = "high"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Privilege Escalation",
 36    "Resources: Investigation Guide",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: Windows Security Event Logs",
 41    "Data Source: Sysmon",
 42    "Data Source: SentinelOne",
 43    "Data Source: Crowdstrike",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49process where host.os.type == "windows" and event.type == "start" and
 50  process.parent.name : "eventvwr.exe" and
 51  not process.executable : (
 52        "?:\\Windows\\SysWOW64\\mmc.exe",
 53        "?:\\Windows\\System32\\mmc.exe",
 54        "?:\\Windows\\SysWOW64\\WerFault.exe",
 55        "?:\\Windows\\System32\\WerFault.exe",
 56
 57        /* Crowdstrike specific exclusion as it uses NT Object paths */
 58        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
 59        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
 60  )
 61'''
 62
 63note = """## Triage and analysis
 64
 65### Investigating Bypass UAC via Event Viewer
 66
 67#### Possible investigation steps
 68
 69- What did Event Viewer launch in the alert?
 70  - Focus: alert time, host/user scope, `process.parent.executable`, `process.executable`, `process.command_line`, and integrity level.
 71  - Implication: escalate when eventvwr.exe launches an unexpected high-integrity child or script/LOLBIN command instead of the normal console or error-reporting helper; lower suspicion only when path normalization proves helper behavior or fields match controlled UAC testing.
 72
 73- Does the child payload identity and command line fit helper behavior or payload execution?
 74  - Focus: `process.executable`, `process.hash.sha256`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.command_line`.
 75  - Hint: use `process.pe.original_file_name` when path, filename, or signer conflicts suggest masquerading.
 76  - Implication: escalate when the child is unsigned, rare, user-writable, signer-mismatched, or runs PowerShell, cmd.exe, rundll32.exe, mshta.exe, wscript.exe, regsvr32.exe, remote retrieval, encoded content, or admin-path writes; lower suspicion only when identity, signer, hash history, and command intent fit controlled testing or helper behavior.
 77
 78- What started Event Viewer, and did the session fit an interactive admin task?
 79  - Focus: recover the Event Viewer start using `host.id` + `process.parent.entity_id`, then review executable, command line, and logon type. $investigate_0
 80  - Hint: if `process.parent.entity_id` is absent, use `host.id` + `process.parent.pid` in a tight `@timestamp` window; PID-only recovery is weaker. Inspect `process.Ext.ancestry` only when direct lineage is incomplete.
 81  - Implication: escalate when Office, browser, archive, scripting, RMM, or remote/noninteractive activity launched Event Viewer; lower suspicion only when launcher and session also support controlled testing or helper behavior. Routine Event Viewer use should open Microsoft Management Console, not an arbitrary child.
 82
 83- Is there corroborating current-user mscfile hijack evidence when process evidence stays suspicious?
 84  - Focus: if registry telemetry exists, review current-user mscfile shell-open command content, creator/deleter process, and timing; HKCU may render as HKEY_USERS\\<user SID>\\Software\\Classes\\mscfile\\shell\\open\\command.
 85  - Hint: use this as corroboration, not as a prerequisite for escalation. Missing registry telemetry is unresolved, not benign; absence of the key after the alert can mean cleanup.
 86  - Implication: escalate or raise confidence when the value points to the alert child, a script interpreter, a temp/user path, or was created or removed around the alert; lower suspicion only when artifact evidence fits the same confirmed test or helper behavior already supported by process evidence.
 87
 88- What did the elevated child do next?
 89  - Focus: child process events where `process.parent.entity_id` matches `process.entity_id`; review executable, command line, and integrity level. $investigate_1
 90  - Hint: prefer entity-ID matches; if only PID matches are available, keep them tightly anchored to `@timestamp`.
 91  - Implication: escalate when the elevated child spawns shells, discovery, credential tools, droppers, installers, persistence helpers, or network-capable tooling; do not close on absent follow-on children when the original command, lineage, or mscfile evidence remains suspicious.
 92
 93- Does the same Event Viewer payload pattern recur beyond this host?
 94  - Range: run only when local process, command, artifact, or lineage evidence remains suspicious or unresolved.
 95  - Focus: `process.hash.sha256`, stable command-line fragments, and `process.executable`, scoped by host and user.
 96    - $investigate_2
 97    - $investigate_3
 98  - Implication: broaden when the same payload or Event Viewer child pattern appears for unrelated hosts or users; keep locally scoped when recurrence is limited to the same confirmed test cohort and no contradictory local evidence remains.
 99
100- Based on the evidence gathered, what disposition is supported?
101  - Escalate on strong local abuse signals across child behavior, payload identity, command intent, launcher/session, mscfile artifacts, follow-on children, or scope; close only when process evidence and recovery prove helper normalization or controlled testing; preserve evidence and escalate when registry corroboration is unavailable or evidence is mixed.
102
103### False positive analysis
104
105- This behavior is an operational anti-pattern. Realistic benign paths are controlled UAC testing or a sensor/path-normalization miss for expected Microsoft Management Console (mmc.exe) or Windows Error Reporting (WerFault.exe) child activity. Confirm identity, launcher/session context, command line, and any recovered mscfile artifact support the same benign explanation; if any dimension contradicts it, do not close as benign.
106- Build exceptions from the minimum confirmed pattern: stable child hash or signer, exact Event Viewer parent-child relationship, bounded `user.id` and `host.id`, and test or normalization evidence. Avoid exceptions on `process.parent.name`, `process.name`, or `user.name` alone.
107
108### Response and remediation
109
110- If confirmed benign, document the exact evidence that resolved the alert, reverse temporary containment, and keep any exception scoped to the confirmed child identity, parent-child pattern, and host/user cohort.
111- If suspicious but unconfirmed, preserve the alert, process event exports, Event Viewer parent and child entity IDs, command lines, hashes/signers, recovered mscfile value/history, child process tree, and process-scoped file or network indicators when available.
112- After preservation, apply reversible containment tied to the findings, such as endpoint isolation for non-critical hosts or temporary egress restrictions for confirmed suspicious destinations. Weigh host criticality before isolation.
113- If confirmed malicious, preserve the confirmed hashes/domains/destinations and elevated child process details, then isolate the host as needed, block confirmed malicious indicators, and suspend or terminate malicious processes only after recording their evidence.
114- Eradicate only the artifacts found during triage: remove malicious payloads, restore the current-user mscfile handler to the expected mmc.exe behavior or remove the malicious override, clean related persistence, and remediate the entry vector that launched Event Viewer.
115- Reset credentials or disable accounts only when process/session evidence shows credential exposure, explicit misuse, or attacker use of the affected `user.id`.
116- After eradication, reduce repeat exposure by reviewing local administrator membership, using the highest feasible UAC prompt level, and patching affected Windows builds.
117"""
118
119setup = """## Setup
120
121This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
122
123Setup instructions: https://ela.st/install-elastic-defend
124
125### Additional data sources
126
127This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
128
129- [CrowdStrike](https://ela.st/crowdstrike-integration)
130- [Microsoft Defender XDR](https://ela.st/m365-defender)
131- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
132- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
133- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
134"""
135
136[rule.investigation_fields]
137field_names = [
138    "@timestamp",
139    "host.id",
140    "user.id",
141    "process.entity_id",
142    "process.pid",
143    "process.name",
144    "process.executable",
145    "process.command_line",
146    "process.hash.sha256",
147    "process.code_signature.trusted",
148    "process.Ext.token.integrity_level_name",
149    "process.parent.entity_id",
150    "process.parent.pid",
151    "process.parent.name",
152    "process.parent.executable",
153]
154
155[transform]
156
157[[transform.investigate]]
158label = "Event Viewer parent process event"
159description = ""
160providers = [
161  [
162    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
163    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
164    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
165  ],
166  [
167    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
168    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
169    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
170    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" }
171  ]
172]
173relativeFrom = "now-1h"
174relativeTo = "now"
175
176[[transform.investigate]]
177label = "Process starts from the elevated child"
178description = ""
179providers = [
180  [
181    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
182    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
183    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
184    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
185  ],
186  [
187    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
188    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
189    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
190    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
191  ]
192]
193relativeFrom = "now"
194relativeTo = "now"
195
196[[transform.investigate]]
197label = "Recent process starts with the same child identity"
198description = ""
199providers = [
200  [
201    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
202    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
203    { excluded = false, field = "process.hash.sha256", queryType = "phrase", value = "{{process.hash.sha256}}", valueType = "string" }
204  ],
205  [
206    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
207    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
208    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
209  ]
210]
211relativeFrom = "now-48h/h"
212relativeTo = "now"
213
214[[transform.investigate]]
215label = "Alerts associated with the user or host"
216description = ""
217providers = [
218  [
219    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
220    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
221  ],
222  [
223    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
224    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
225  ]
226]
227relativeFrom = "now-48h/h"
228relativeTo = "now"
229
230[[rule.threat]]
231framework = "MITRE ATT&CK"
232
233[[rule.threat.technique]]
234id = "T1548"
235name = "Abuse Elevation Control Mechanism"
236reference = "https://attack.mitre.org/techniques/T1548/"
237
238[[rule.threat.technique.subtechnique]]
239id = "T1548.002"
240name = "Bypass User Account Control"
241reference = "https://attack.mitre.org/techniques/T1548/002/"
242
243[rule.threat.tactic]
244id = "TA0004"
245name = "Privilege Escalation"
246reference = "https://attack.mitre.org/tactics/TA0004/"
247
248[[rule.threat]]
249framework = "MITRE ATT&CK"
250
251[[rule.threat.technique]]
252id = "T1548"
253name = "Abuse Elevation Control Mechanism"
254reference = "https://attack.mitre.org/techniques/T1548/"
255
256[[rule.threat.technique.subtechnique]]
257id = "T1548.002"
258name = "Bypass User Account Control"
259reference = "https://attack.mitre.org/techniques/T1548/002/"
260
261[rule.threat.tactic]
262id = "TA0005"
263name = "Defense Evasion"
264reference = "https://attack.mitre.org/tactics/TA0005/"