UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Sigma rule (View on GitHub)
1title: UAC Bypass Using Event Viewer RecentViews
2id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
3related:
4 - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
5 type: similar
6status: test
7description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
8references:
9 - https://twitter.com/orange_8361/status/1518970259868626944
10 - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/11/22
13tags:
14 - attack.defense_evasion
15 - attack.privilege_escalation
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_path:
21 # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
22 CommandLine|contains:
23 - '\Event Viewer\RecentViews'
24 - '\EventV~1\RecentViews'
25 selection_redirect:
26 CommandLine|contains: '>'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
-
-
During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If th...
Read More
Related rules
- UAC Bypass Tools Using ComputerDefaults
- Shell Open Registry Keys Manipulation
- UAC Bypass Abusing Winsat Path Parsing - File
- UAC Bypass Abusing Winsat Path Parsing - Process
- UAC Bypass Using .NET Code Profiler on MMC