Potentially Suspicious Event Viewer Child Process

Apr 28, 2026 · attack.privilege-escalation attack.t1548.002 car.2019-04-001 ·

Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Event Viewer Child Process
 2id: be344333-921d-4c4d-8bb8-e584cf584780
 3related:
 4    - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
 5      type: derived
 6status: test
 7description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
 8references:
 9    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
10    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
11author: Florian Roth (Nextron Systems)
12date: 2017-03-19
13modified: 2023-09-28
14tags:
15    - attack.privilege-escalation
16    - attack.t1548.002
17    - car.2019-04-001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\eventvwr.exe'
24    filter_main_generic:
25        Image|endswith:
26            - ':\Windows\System32\mmc.exe'
27            - ':\Windows\System32\WerFault.exe'
28            - ':\Windows\SysWOW64\WerFault.exe'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Unknown
32level: high

Potentially Suspicious Event Viewer Child Process

Sigma rule (View on GitHub)

References

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100

Related rules