UAC Bypass Using Event Viewer RecentViews

 1title: UAC Bypass Using Event Viewer RecentViews
 2id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
 3related:
 4    - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
 5      type: similar
 6status: test
 7description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
 8references:
 9    - https://twitter.com/orange_8361/status/1518970259868626944
10    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-11-22
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_path:
21        # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
22        CommandLine|contains:
23            - '\Event Viewer\RecentViews'
24            - '\EventV~1\RecentViews'
25    selection_redirect:
26        CommandLine|contains: '>'
27    condition: all of selection_*
28falsepositives:
29    - Unknown
30level: high

References

• x.com

  
  Read More

• Eventvwr on LOLBAS

  

  Eventvwr.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• APT PRIVATELOG Image Load Pattern
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address