EXPLORE
Sign In
← Back to Explore
sigmahighHunting

UAC Bypass Using Event Viewer RecentViews

Detects the pattern of UAC Bypass using Event Viewer RecentViews

Detection Query

selection_path:
  CommandLine|contains:
    - \Event Viewer\RecentViews
    - \EventV~1\RecentViews
selection_redirect:
  CommandLine|contains: ">"
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-11-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.stealth
Raw Content
title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
    - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
      type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
    - https://twitter.com/orange_8361/status/1518970259868626944
    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
        CommandLine|contains:
            - '\Event Viewer\RecentViews'
            - '\EventV~1\RecentViews'
    selection_redirect:
        CommandLine|contains: '>'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high