← Back to SOC feed Coverage →

UAC Bypass Using Event Viewer RecentViews

sigma HIGH SigmaHQ
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T03:15:01Z · Confidence: medium

Hunt Hypothesis

Detects the pattern of UAC Bypass using Event Viewer RecentViews

Detection Rule

Sigma (Original)

title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
    - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
      type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
    - https://twitter.com/orange_8361/status/1518970259868626944
    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
        CommandLine|contains:
            - '\Event Viewer\RecentViews'
            - '\EventV~1\RecentViews'
    selection_redirect:
        CommandLine|contains: '>'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "\\Event Viewer\\RecentViews" or TargetProcessCommandLine contains "\\EventV~1\\RecentViews") and TargetProcessCommandLine contains ">"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml