UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
Sigma rule (View on GitHub)
1title: UAC Bypass via Event Viewer
2id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
3status: test
4description: Detects UAC bypass method using Windows event viewer
5references:
6 - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
7 - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
8author: Florian Roth (Nextron Systems)
9date: 2017-03-19
10modified: 2023-09-28
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548.002
15 - car.2019-04-001
16logsource:
17 product: windows
18 category: registry_set
19detection:
20 selection:
21 TargetObject|endswith: '\mscfile\shell\open\command'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- HackTool - Empire PowerShell UAC Bypass
- Potentially Suspicious Event Viewer Child Process
- UAC Bypass via Sdclt
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task