title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth logsource: product: windows service: sysmon detection: methregistry: EventID: 13 TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' methprocess: EventID: 1 # Migration to process_creation requires multipart YAML ParentImage: '*\eventvwr.exe' filterprocess: Image: '*\mmc.exe' condition: methregistry or ( methprocess and not filterprocess ) fields: - CommandLine - ParentCommandLine tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1088 falsepositives: - unknown level: critical