UAC Bypass via Event Viewer

 1title: UAC Bypass via Event Viewer
 2id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
 3status: test
 4description: Detects UAC bypass method using Windows event viewer
 5references:
 6    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
 7    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
 8author: Florian Roth (Nextron Systems)
 9date: 2017-03-19
10modified: 2023-09-28
11tags:
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1548.002
15    - car.2019-04-001
16logsource:
17    product: windows
18    category: registry_set
19detection:
20    selection:
21        TargetObject|endswith: '\mscfile\shell\open\command'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

• “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking

  

  After digging into Windows 10 and discovering a rather interesting method for bypassing user account control, I decided to spend a little more time investigating other potential techniques for gett…

  
  Read More

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Montepio20Tecnologia.zip'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

Related rules

• CMSTP UAC Bypass via COM Object Access
• HackTool - Empire PowerShell UAC Bypass
• Potentially Suspicious Event Viewer Child Process
• UAC Bypass via Sdclt
• Bypass UAC Using DelegateExecute