Detectionhightest

Bypass UAC Using Event Viewer

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jan 05Updated Thu Aug 17674202d0-b22a-4af4-ae5f-2eda1f3da1afwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
    filter:
        Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Simulations

atomic-red-teamT1548.002

View on ART

Bypass UAC using Event Viewer (cmd)

GUID: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1547.010 · Port Monitors

Rule Metadata

Rule ID

674202d0-b22a-4af4-ae5f-2eda1f3da1af

Status

test

Level

high

Type

Detection

Created

Wed Jan 05

Modified

Thu Aug 17

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1547.010

View on GitHub