A SOC team should proactively hunt for this behavior as it indicates an adversary is attempting to bypass User Account Control to execute privileged commands without detection. This technique is commonly used in advanced persistent threats to gain deeper access and maintain persistence within a network.
Detection Rule
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
- https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
- https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
- attack.defense-evasion
- attack.privilege-escalation
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Removed the start just in case the logging backend doesn't expand ENV variables when they're used
- '\Microsoft\Event Viewer\RecentViews'
- '\Microsoft\EventV~1\RecentViews'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName endswith "\\Microsoft\\Event Viewer\\RecentViews" or TargetFileName endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((TargetFilePath startswith "C:\\Windows\\System32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\")))Scenario: Legitimate Scheduled Task Using Event Viewer
Description: An administrator schedules a task that launches eventvwr.exe to review logs, which may trigger the rule due to process creation.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with Task Scheduler as the parent process or filter by CommandLine containing /s or /m.
Scenario: Admin Performing Event Viewer Log Analysis
Description: A system administrator manually opens Event Viewer to investigate security events, which may be flagged as suspicious behavior.
Filter/Exclusion: Exclude processes launched by users with elevated privileges (e.g., Administrators group) or filter by User field matching known admin accounts.
Scenario: PowerShell Script Launching Event Viewer
Description: A PowerShell script is used to open Event Viewer for log analysis, which may be misinterpreted as a UAC bypass attempt.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the command line includes eventvwr.exe or eventvwr.
Scenario: Group Policy Object (GPO) Deployment via Event Viewer
Description: A GPO is configured to deploy settings through Event Viewer, which may trigger the rule due to process creation or registry changes.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or gpmc.msc and filter by ParentProcessName or User field.
Scenario: Event Viewer Used for Compliance Auditing
Description: An auditor uses Event Viewer to review compliance logs, which may be flagged as suspicious due to the nature of the tool.
Filter/Exclusion: Exclude processes launched from audit tools or filter by User field matching known auditors or compliance roles.