UAC Bypass via Event Viewer

 1title: UAC Bypass via Event Viewer
 2id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
 3status: experimental
 4description: Detects UAC bypass method using Windows event viewer
 5references:
 6    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
 7    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
 8author: Florian Roth (Nextron Systems)
 9date: 2017/03/19
10modified: 2023/09/28
11tags:
12    - attack.defense_evasion
13    - attack.privilege_escalation
14    - attack.t1548.002
15    - car.2019-04-001
16logsource:
17    product: windows
18    category: registry_set
19detection:
20    selection:
21        TargetObject|endswith: '\mscfile\shell\open\command'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

• “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking

  

  After digging into Windows 10 and discovering a rather interesting method for bypassing user account control, I decided to spend a little more time investigating other potential techniques for gett…

  
  Read More

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Montepio20Tecnologia.zip'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

Related rules

• Potentially Suspicious Event Viewer Child Process
• UAC Bypass via Sdclt
• CMSTP UAC Bypass via COM Object Access
• HackTool - Empire PowerShell UAC Bypass
• HackTool - UACMe Akagi Execution