valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated Eventvwr UAC evasion

Browse Source
This commit is contained in:
Florian Roth 2017-03-22 14:40:55 +01:00
parent 7e180365ab
commit 10ee36f26c
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
View File

@ -3,15 +3,23 @@ status: experimental
description: Detects UAC bypass method using Windows event viewer
reference:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
methregistry:
EventID: 13
TargetObject: 'HKEY_USERS\*\mscfile\shell\open\command'
condition: selection
methprocess:
EventID: 1
ParentImage: '*\eventvwr.exe'
filterprocess:
Image: '*\mmc.exe'
condition: methregistry or ( methprocess and not filterprocess )
falsepositives:
- unknown
level: critical