Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

UAC Bypass Using EventVwr

Detects the pattern of a UAC bypass using Windows Event Viewer

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Antonio Cocomazzi, Florian Roth (Nextron Systems)Created Wed Apr 27Updated Tue Nov 2263e4f530-65dc-49cc-8f80-ccfa95c69d43windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|endswith:
            # Removed the start just in case the logging backend doesn't expand ENV variables when they're used
            - '\Microsoft\Event Viewer\RecentViews'
            - '\Microsoft\EventV~1\RecentViews'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
twitter.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Rule Metadata
Rule ID
63e4f530-65dc-49cc-8f80-ccfa95c69d43
Status
test
Level
high
Type
Detection
Created
Wed Apr 27
Modified
Tue Nov 22
Author
Antonio Cocomazzi, Florian Roth (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
Raw Tags
attack.defense-evasionattack.privilege-escalation
View on GitHub