UAC Bypass Using EventVwr

 1title: UAC Bypass Using EventVwr
 2id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
 3status: test
 4description: Detects the pattern of a UAC bypass using Windows Event Viewer
 5references:
 6    - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
 7    - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
 8    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
 9author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
10date: 2022/04/27
11modified: 2022/11/22
12tags:
13    - attack.defense_evasion
14    - attack.privilege_escalation
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        TargetFilename|endswith:
21            # Removed the start just in case the logging backend doesn't expand ENV variables when they're used
22            - '\Microsoft\Event Viewer\RecentViews'
23            - '\Microsoft\EventV~1\RecentViews'
24    filter:
25        Image|startswith:
26            - 'C:\Windows\System32\'
27            - 'C:\Windows\SysWOW64\'
28    condition: selection and not filter
29falsepositives:
30    - Unknown
31level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Eventvwr | LOLBAS

  During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If th...

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Application Using Device Code Authentication Flow
• Applications That Are Using ROPC Authentication Flow