← Library
sigmaDRL-1.1from SigmaHQ/sigma

UAC Bypass Using EventVwr

Detects the pattern of a UAC bypass using Windows Event Viewer

Quality
98
FP risk
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
    - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
    - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Removed the start just in case the logging backend doesn't expand ENV variables when they're used
            - '\Microsoft\Event Viewer\RecentViews'
            - '\Microsoft\EventV~1\RecentViews'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high