← Back to Explore
sigmahighHunting
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
Detection Query
selection:
TargetFilename|endswith:
- \Microsoft\Event Viewer\RecentViews
- \Microsoft\EventV~1\RecentViews
filter:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
condition: selection and not filter
Author
Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
Created
2022-04-27
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.stealth
Raw Content
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
- https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
- https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Removed the start just in case the logging backend doesn't expand ENV variables when they're used
- '\Microsoft\Event Viewer\RecentViews'
- '\Microsoft\EventV~1\RecentViews'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unknown
level: high