UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
Sigma rule (View on GitHub)
1title: UAC Bypass Using EventVwr
2id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
3status: test
4description: Detects the pattern of a UAC bypass using Windows Event Viewer
5references:
6 - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
7 - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
8 - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
9author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
10date: 2022-04-27
11modified: 2022-11-22
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith:
21 # Removed the start just in case the logging backend doesn't expand ENV variables when they're used
22 - '\Microsoft\Event Viewer\RecentViews'
23 - '\Microsoft\EventV~1\RecentViews'
24 filter:
25 Image|startswith:
26 - 'C:\Windows\System32\'
27 - 'C:\Windows\SysWOW64\'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: high
References
-
Eventvwr.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address